1

我正在尝试使用 WSO2is 作为 Mattermost CE 的服务提供商。我的想法是使用 Mattermost GitHub 社交登录功能和 WSO2is 而不是 GitHub。

为此,我为 Wso2is 配置了 Oauth 服务提供者,效果很好。我能够验证自己并且 Mattermost 接受令牌。但是,Mattermost 无法让我登录。

经过一番挖掘,我强烈建议这个问题来自Claims。Mattermost 和 Wso2is 不能说同一种“语言”。我尝试了很多不成功的配置,尤其是http://wso2.org/oidc/claim

我想知道是否有人知道如何使用 Mattermost 配置 Wso2is?

有关信息,这是我测试过的配置之一:

<?xml version="1.0" encoding="UTF-8"?><ServiceProvider>
  <ApplicationName>Mattermost</ApplicationName>
  <Description>test</Description>
  <InboundAuthenticationConfig>
    <InboundAuthenticationRequestConfigs>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>Mattermost</InboundAuthKey>
        <InboundAuthType>openid</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>Mattermost</InboundAuthKey>
        <InboundAuthType>passivests</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>_FPI1OvbJHV_3In6kdYiQMmnIZIa</InboundAuthKey>
        <InboundAuthType>oauth2</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <inboundConfiguration><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<oAuthAppDO>
    <oauthConsumerKey>_FPI1OvbJHV_3In6kdYiQMmnIZIa</oauthConsumerKey>
    <oauthConsumerSecret>tPelnXdrnQjr0cpn2pxPT9YuQkUa</oauthConsumerSecret>
    <applicationName>Mattermost</applicationName>
    <callbackUrl>https://team.ticoop.fr/signup/gitlab/complete</callbackUrl>
    <oauthVersion>OAuth-2.0</oauthVersion>
    <grantTypes>refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer implicit password client_credentials iwa:ntlm authorization_code urn:ietf:params:oauth:grant-type:jwt-bearer </grantTypes>
    <scopeValidators/>
    <pkceSupportPlain>true</pkceSupportPlain>
    <pkceMandatory>false</pkceMandatory>
    <userAccessTokenExpiryTime>3600</userAccessTokenExpiryTime>
    <applicationAccessTokenExpiryTime>3600</applicationAccessTokenExpiryTime>
    <refreshTokenExpiryTime>84600</refreshTokenExpiryTime>
    <idTokenExpiryTime>3600</idTokenExpiryTime>
    <audiences/>
    <bypassClientCredentials>false</bypassClientCredentials>
    <requestObjectSignatureValidationEnabled>false</requestObjectSignatureValidationEnabled>
    <idTokenEncryptionEnabled>false</idTokenEncryptionEnabled>
    <idTokenEncryptionAlgorithm>null</idTokenEncryptionAlgorithm>
    <idTokenEncryptionMethod>null</idTokenEncryptionMethod>
    <backChannelLogoutUrl></backChannelLogoutUrl>
    <tokenType>JWT</tokenType>
</oAuthAppDO>
]]></inboundConfiguration>
        <Properties/>
      </InboundAuthenticationRequestConfig>
    </InboundAuthenticationRequestConfigs>
  </InboundAuthenticationConfig>
  <LocalAndOutBoundAuthenticationConfig>
    <AuthenticationSteps/>
    <AuthenticationType>default</AuthenticationType>
    <alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
    <subjectClaimUri>http://wso2.org/claims/emailaddress</subjectClaimUri>
    <UseTenantDomainInUsername>false</UseTenantDomainInUsername>
    <UseUserstoreDomainInRoles>true</UseUserstoreDomainInRoles>
    <UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
    <EnableAuthorization>false</EnableAuthorization>
  </LocalAndOutBoundAuthenticationConfig>
  <RequestPathAuthenticatorConfigs/>
  <InboundProvisioningConfig>
    <ProvisioningUserStore/>
    <IsProvisioningEnabled>false</IsProvisioningEnabled>
    <IsDumbModeEnabled>false</IsDumbModeEnabled>
  </InboundProvisioningConfig>
  <OutboundProvisioningConfig>
    <ProvisioningIdentityProviders/>
  </OutboundProvisioningConfig>
  <ClaimConfig>
    <RoleClaimURI/>
    <LocalClaimDialect>true</LocalClaimDialect>
    <IdpClaim/>
    <ClaimMappings>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/username</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/username</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/fullname</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/fullname</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/photourl</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/photourl</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/url</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/url</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/active</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/active</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/nickname</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/nickname</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/identity/emailVerified</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/identity/emailVerified</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
    </ClaimMappings>
    <AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
    <SPClaimDialects>
      <SPClaimDialect>http://wso2.org/oidc/claim</SPClaimDialect>
    </SPClaimDialects>
  </ClaimConfig>
  <PermissionAndRoleConfig>
    <Permissions/>
    <RoleMappings/>
    <IdpRoles/>
  </PermissionAndRoleConfig>
  <IsSaaSApp>false</IsSaaSApp>
</ServiceProvider>

注意:对于 Wso2is,需要将 Mattermost Gitlab 配置 URL 从 /ouath/ 更改为 /oauth2/。

谢谢

问候

4

1 回答 1

0

我无法用 wso2is 解决这个问题。事实上,看起来 wso2is 并没有发送带有令牌的声明。此外,Git 令牌结构使用整数作为 ID,而不是字符串。因此,不可能使用几乎所有 IAM 生成的默认用户 GUID。

为了满足我的需求,我找到了另一个解决方案:KeyCloak。KeyCloak 工作正常,它允许通过代码定义声明,因此可以自动生成 Mattermost 所需的整数 ID。

问候,

于 2018-12-17T07:41:03.427 回答