server - WSO2 IS : how to allow anonymous request to OIDC . 众所周知/openid 配置

Question

通常，对于 OIDC 发现，.well-known URI 可以作为匿名请求。 WSO2 5.3.0 文档中的示例指出必须为请求提供管理员级凭据:

https://docs.wso2.com/display/IS530/OpenID+Connect+Discovery

curl -v -k --user admin:admin https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration

(下划线不是拼写错误，而是绕过 URL 计数限制)

我可以确认导致curl -v -k https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration返回401未授权。

(下划线不是拼写错误，而是绕过 URL 计数限制)

我尝试使用“SYSTEM/wso2.anonymous.role is ALLOWed to READ”在注册表中配置/_system/config/oidc 的权限，但仍然收到 401 错误。调整“SYSTEM/wso2.anonymous”的权限.role is ALLOWed to AUTHORIZE”返回 200 但正文为空。

关于如何在无需提供任何凭据(匿名)的情况下处理 OIDC 发现(获取 OIDC 配置)有什么建议吗？

谢谢

JF

Answer 1

经过多次试验，可以通过注释 {WSO2_base_path}/repository/conf/identity/identity.xml 中的 .well-know 行来提供匿名访问:

 <ResourceAccessControl>
    <Resource context="(.*)/api/identity/user/(.*)" secured="true" http-method="all"/>
    <Resource context="(.*)/api/identity/recovery/(.*)" secured="true" http-method="all"/>
    <!--<Resource context="(.*)/.well-known(.*)" secured="true" http-method="all"/>-->
    <Resource context="(.*)/identity/register(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
    </Resource>
    <Resource context="(.*)/identity/connect/register(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
    </Resource>
    <Resource context="(.*)/oauth2/introspect(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
    </Resource>
    <Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/pep</Permissions>
    </Resource>
</ResourceAccessControl>