<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>I have tried quite a few combinations and even was stepping in the code to see what was happening but no luck. In particular with your suggestion I got the error below. I tried to add an iss parameter to the Claims Gathering request pointing to the same
string as you sent too but the code where this message is triggered (OIDCAuthenticationFilter) doesn’t seem to be looking there for this presumably missing issuer. Configured servers or something appears to be missing in this case. </div>
<h1>error.header <span class="text-error">401 Unauthorized</span> </h1>
<p>error.message</p>
<blockquote class="text-error"><b>Authentication Failed: No issuer found.</b></blockquote>
<div> </div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
<div>Regards,</div>
<div>Luiz</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Justin Richer<br>
<span style="font-weight:bold">Date: </span>Tuesday, December 1, 2015 at 7:44 PM<br>
<span style="font-weight:bold">To: </span>Luiz Omori<br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>"<br>
<span style="font-weight:bold">Subject: </span>Re: [mitreid-connect] UMA Permission ticket claims<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Looks like you’re entering a string into the login form that the Webfinger resolver can’t handle. Have you tried just doing “<a href="http://localhost:8080/uma-server-webapp-1.2.2.2/" class="">http://localhost:8080/uma-server-webapp-1.2.2.2/</a>“ instead?
<div class=""><br class="">
</div>
<div class="">I know the form is labeled “email address” but that’s only if you’ve got a proper webfinger domain setup, which you don’t have if you’re running on localhost in a dev environment.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Dec 1, 2015, at 4:03 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">
<div class="">The problem that I faced was caused by the fact that the Request Party was logged in already. That caused the collectClaims to be called with a different set of parameters. See below the hack that I did for my tests. That allowed me to proceed
all the way to receive a proper RPT token.</div>
<div class=""><br class="">
</div>
<div class="">If I use another browser to the claims gathering endpoint then I get the ‘no server configuration…”.</div>
<div class=""><br class="">
</div>
<div class="">As a general comment for UMA, the protocol is a bit convoluted, eh?</div>
<div class="">
<h1 class="">error.header <span class="text-error">401 Unauthorized</span> </h1>
<p class="">error.message</p>
<blockquote class="text-error"><b class="">Authentication Failed: No server configuration found for issuer: admin@localhost:8080/uma-server-webapp-1.2.2</b></blockquote>
</div>
<div class=""><br class="">
</div>
<div class="">…</div>
<div class="">
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>public String collectClaims(@RequestParam("client_id") String clientId, @RequestParam(value = "redirect_uri", required = false) String redirectUri,</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>@RequestParam("ticket") String ticketValue, @RequestParam(value = "state", required = false) String state,</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ModelMap m, OAuth2Authentication auth) {</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>//ModelMap m, OIDCAuthenticationToken auth) {</div>
<div class=""> </div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ClientDetailsEntity client = clientService.loadClientByClientId(clientId);</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>PermissionTicket ticket = permissionService.getByTicket(ticketValue);</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>if (client == null || ticket == null) {</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>logger.info("Client or ticket not found: " + clientId + " :: " + ticketValue);</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>return HttpCodeView.VIEWNAME;</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>}</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>// we've got a client and ticket, let's attach the claims that we have from the token and userinfo</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>// subject</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Set<Claim> claimsSupplied = Sets.newHashSet(ticket.getClaimsSupplied());</div>
<div class=""><br class="">
</div>
<div class=""> //String issuer = auth.getIssuer();</div>
<div class=""> //UserInfo userInfo = auth.getUserInfo();</div>
<div class=""> //String sub = auth.getSub();</div>
<div class=""><br class="">
</div>
<div class=""> String issuer = config.getIssuer();</div>
<div class=""> UserInfo userInfo = userService.getByUsernameAndClientId(auth.getPrincipal().toString(), client.getClientId());</div>
<div class=""> String sub = userInfo.getSub();</div>
<div class=""> </div>
</div>
<div class="">…</div>
<div class="">
<div id="" class=""></div>
</div>
</div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Luiz</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size: 12pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Luiz Omori<br class="">
<span style="font-weight:bold" class="">Date: </span>Monday, November 30, 2015 at 5:42 PM<br class="">
<span style="font-weight:bold" class="">To: </span>Justin Richer<br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>"<br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [mitreid-connect] UMA Permission ticket claims<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">
<div class="">
<div class=""><br class="">
</div>
<div class="">
<div class="">Humm, now I’m getting the error below in my embedded web browser (Java standalone app). Looking at the code it looks to me that the discrepancy is in the Model parameter. That particular call is expecting org.springframework.ui.Model but org.springframework.ui.ModelMap
is being provided??</div>
<div class=""><br class="">
</div>
<div class="">error.header NestedServletException (500)</div>
<div class="">error.message</div>
<div class=""><br class="">
</div>
<div class="">Request processing failed; nested exception is java.lang.IllegalStateException: argument type mismatch HandlerMethod details: Controller [org.mitre.uma.web.ClaimsCollectionEndpoint] Method [public java.lang.String org.mitre.uma.web.ClaimsCollectionEndpoint.collectClaims(java.lang.String,java.lang.String,java.lang.String,java.lang.String,org.springframework.ui.Model,org.mitre.openid.connect.model.OIDCAuthenticationToken)]
Resolved arguments: [0] [type=java.lang.String] [value=c] [1] [null] [2] [type=java.lang.String] [value=f8223604-65f9-4173-9572-329545cf1ae4] [3] [null] [4] [type=org.springframework.validation.support.BindingAwareModelMap] [value={}] [5] [type=org.springframework.security.oauth2.provider.OAuth2Authentication]
[value=org.springframework.security.oauth2.provider.OAuth2Authentication@fdb04e9d: Principal: admin; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, sessionId=<SESSION>, tokenValue=<TOKEN>; Granted Authorities: ROLE_USER, ROLE_ADMIN]</div>
</div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Luiz</div>
<div class="">
<div id="" class=""></div>
</div>
</div>
</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size: 12pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Justin Richer<br class="">
<span style="font-weight:bold" class="">Date: </span>Monday, November 30, 2015 at 1:17 PM<br class="">
<span style="font-weight:bold" class="">To: </span>Luiz Omori<br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>"<br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [mitreid-connect] UMA Permission ticket claims<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Yes, the UMA spec is completely full of holes and magic at that stage. I don’t have HTTP dumps but our implementation expects the client to send the requesting party, in a web browser, to the claims gathering endpoint. There, the requesting party will be prompted
to enter their email address (technically, their webfinger identifier) to start an OpenID Connect login flow. Once that’s completed, the server will redirect back to the client’s claims redirect URI (not the normal redirect URI) with a parameter indicating
that some claims have been submitted. At this stage, the client just needs to make the call to the RPT request again.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Nov 30, 2015, at 1:14 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">
<div class="">Thanks.</div>
<div class=""><br class="">
</div>
<div class="">Would you have any examples (http dumps, code) of the last step you mentioned below? I think I have everything in place up to the first RPT request failure so now need to process properly the Authorization Server’s Request for Additional Information.
I’m checking the spec but there are quite a few MAYs there.</div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Luiz</div>
<div class="">
<div id="" class=""></div>
</div>
</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size: 12pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Justin Richer<br class="">
<span style="font-weight:bold" class="">Date: </span>Monday, November 30, 2015 at 12:37 PM<br class="">
<span style="font-weight:bold" class="">To: </span>Luiz Omori<br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>"<br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [mitreid-connect] UMA Permission ticket claims<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
First off, the UMA functionality is considered “beta” at this stage, so it’s functional but don’t be surprised if things do break from time to time. :)
<div class=""><br class="">
</div>
<div class="">With that in mind: The way the system works is that you need to set up a resource set, then set a policy on that set. The policy contains a set of claims that are required to be fulfilled before handing a token to the client. Our system will only
take claims in the form of OpenID Connect identity claims. In particular, we’ve streamlined the UI to do an email-based check, using webfinger as a bridge between domains and systems. </div>
<div class=""><br class="">
</div>
<div class="">After you have the policy set, you get a permissions ticket. This ticket doesn’t have any claims fulfilled on it yet, so when the client goes to get an RPT with it, it will fail. There are no claims inside the AAT or even associated with the AAT.
(In a future version of the spec, the AAT is likely to be dropped entirely.) </div>
<div class=""><br class="">
</div>
<div class="">The RS never provides claims to fulfill a ticket, that’s the job of the client and the RqP. In our implementation, the RqP needs to log in to the claims gathering endpoint with OpenID Connect, which will cause the claims associated with that user’s
ID token and user profile to be associated with the ticket. The ticket will then need to be presented by the client to the RPT endpoint again to try to get the RPT. This time, if the claims in the ticket satisfy the claims in the resource set, then the token
is granted.</div>
<div class=""><br class="">
</div>
<div class="">Without this step, there’s absolutely no way to tell if the authorization server should issue the RPT.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Nov 30, 2015, at 12:10 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div style="" class="">Hi,</div>
<div style="" class=""><br class="">
</div>
<div style="" class="">I have been trying to retrieve an UMA RPT token but it’s failing where AuthorizationRequestEndpoint tries to verify that the resource set required claims are provided in the permission ticket. I did create a sharing policy for the resource.
Apparently my Permission Ticket is missing “email_verified”, “sub”, “email”. Questions:</div>
<ol class="">
<li class="">Why is this verification done at all? Isn’t the Resource Server the one that requests Permission Tickets and provide them to the client? Shouldn’t the Resource Set required claims be verified against the claims within the AAT?</li><li class="">What is the correct way to pass claims during the Permission Ticket request? Currently my RS is requesting it by providing a PAT token and filling the body with resource_set_id plus some scopes.</li></ol>
<div class=""><font color="#ff0000" class="">ClaimProcessingResult result = claimsProcessingService.claimsAreSatisfied(rs, ticket);</font></div>
<div style="" class=""><br class="">
</div>
<div style="" class="">I’m quite new to UMA.</div>
<div style="" class=""><br class="">
</div>
<div style="" class="">Regards,</div>
<div style="" class="">Luiz</div>
<div style="" class="">
<div id="" class=""></div>
</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</span></div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span></div>
</div>
</span></div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span>
</body>
</html>