WSO2IS 护照-openidconnect，InternalOAuthError：获取访问令牌失败

Question

我目前正致力于使用 WSO2IS 5.4.1 实现 passport-openidconnect 身份验证。当我的应用程序向 WSO2IS 发出反向通道请求以获取访问令牌时，似乎出现了问题。引用来自here 的协议流，看来我的应用程序在步骤 5/6 上失败了？应用程序外壳：

jonathan@wso2is-sandbox:~/Projects/Javascript/vifi-ui$ nodejs app.js 
Server Started on Port 3000
GET /dashboard
GET /favicon.ico
GET /oidconnect/login
GET /oidconnect/login/callback?code=2fdff378-4fe6-39ea-8dcd-347015c0e041&state=o8HKPWlxvlhCMMd4YqeC10fb&session_state=3b87e55e710e546583d135262778cba57448ff59e19fde24118b381ecba9dad2.67C2KJwqQ3bADsvrIQgveA
InternalOAuthError: failed to obtain access token
    at /home/jonathan/Projects/Javascript/vifi-ui/node_modules/passport-openidconnect/lib/strategy.js:93:38
    at /home/jonathan/Projects/Javascript/vifi-ui/node_modules/oauth/lib/oauth2.js:191:18
    at ClientRequest.<anonymous> (/home/jonathan/Projects/Javascript/vifi-ui/node_modules/oauth/lib/oauth2.js:162:5)
    at emitOne (events.js:77:13)
    at ClientRequest.emit (events.js:169:7)
    at TLSSocket.socketErrorListener (_http_client.js:258:9)
    at emitOne (events.js:77:13)
    at TLSSocket.emit (events.js:169:7)
    at emitErrorNT (net.js:1256:8)
    at nextTickCallbackWith2Args (node.js:441:9)

passport-openidconnect 策略和基于 this 的 url 调用：

const express = require('express');
const router = express.Router();
const passport = require('passport');
const OIDconnectStrategy = require('passport-openidconnect').Strategy;

const oIDconnectStrategy = new OIDconnectStrategy({ 
    issuer: 'WSO2app',

    clientID: "fakeid",
    clientSecret: "fakesecret",
    authorizationURL: 'https://localhost:9443/oauth2/authorize',
    tokenURL: 'https://localhost:9443/oauth2/token',

    // login endpoints  
    callbackURL: 'http://localhost:3000/oidconnect/login/callback'
    },
    function(token, tokenSecret, profile, cb){          
        return cb(null, profile);
    });

passport.use(oIDconnectStrategy);

passport.serializeUser(function(user, done) {
    done(null, user);
});

passport.deserializeUser(function(obj, done) {
    done(null, obj);
});

router.get('/login',    
    passport.authenticate('openidconnect', {
        failureRedirect: '/dashboard'       
    })
);

router.get('/login/callback',
    passport.authenticate('openidconnect', {    
    failureRedirect: '/dashboard',
    failureFlash: true, 
    }),
    function(req, res){
        res.redirect('/wso2app');       
    }
);

module.exports = router;

带有 oauth 调试的 WSO2IS shell：

[2018-05-04 12:18:21,359] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Validate Client information request for client_id : iSUxUfktfR1OG4Cnwpt3kCHSxNca and callback_uri http://localhost:3000/oidconnect/login/callback
[2018-05-04 12:18:21,362] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Registered App found for the given Client Id : iSUxUfktfR1OG4Cnwpt3kCHSxNca ,App Name : WSO2app, Callback URL : http://localhost:3000/oidconnect/login/callback
[2018-05-04 12:18:30,860] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Authorization Request received for user : user1@carbon.super, Client ID : iSUxUfktfR1OG4Cnwpt3kCHSxNca, Authorization Response Type : code, Requested callback URI : http://localhost:3000/oidconnect/login/callback, Requested Scope : openid
[2018-05-04 12:18:30,868]  INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} -  The default OAuth token issuer will be used. No custom token generator is set.
[2018-05-04 12:18:30,869]  INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} -  The default Identity OAuth token issuer will be used. No custom token generator is set.
[2018-05-04 12:18:30,870] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} -  Successfully enabled AppInfoCache under OAuthCacheManager
[2018-05-04 12:18:30,872] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} -  Approved scope(s) : openid
[2018-05-04 12:18:30,872] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Added OAuthAuthzReqMessageContext to threadlocal
[2018-05-04 12:18:30,894] DEBUG {org.wso2.carbon.identity.oauth2.dao.AuthorizationCodeDAOImpl} -  Persisting authorization code for client: iSUxUfktfR1OG4Cnwpt3kCHSxNca user: user1@carbon.super
[2018-05-04 12:18:30,897] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil} -  Authorization Code info was added to the cache for client id : iSUxUfktfR1OG4Cnwpt3kCHSxNca
[2018-05-04 12:18:30,897] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil} -  Issued Authorization Code to user : user1@carbon.super, Using the redirect url : http://localhost:3000/oidconnect/login/callback, Scope : openid, validity period : 300000
[2018-05-04 12:18:30,897] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Cleared OAuthAuthzReqMessageContext

Service Provider:Inbound Auth Config: OAuth/OpenidConn Config

任何帮助将不胜感激。用户是否无权请求/接收令牌？ WSO2IS 是否需要配置编辑？谢谢

Answer 1

您已成功完全收到授权码。这意味着用户被正确授权。好像你的第二个电话是错误的。通过 GET 调用 gwt 授权代码后，为了获取访问令牌，您需要调用令牌端点作为第二次调用，并使用您收到的授权代码以及回调 url 和客户端密码。这应该是一个 POST。

您将获得回调 url 的访问令牌作为响应。您的第二个请求一定有问题，或者您没有正确处理。

您可以遵循相同的 [1] 并使用 sso 跟踪器检查请求的行为方式。

[1]https://docs.wso2.com/display/IS541/Authorization+Code+Grant