0

Situation:

Enviroment: 1 Server: Oracle Linux Micro-integrator 4.1.0 running Api-Manager 4.1.0 running Admin,Publisher, DevPortal sites can be accessed within the server and the LAN An API I've created with oauth2 (authorization+token) can be accessed within the LAN (via Postman)

NOW...I want to expose that API to internet. My IT Team addedfollowing to the DMZ server (NGINX) conf file, where oauth2 is to invoke the auth services and dsFenicio is the API .

    location /oauth2 {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass https://192.168.135.64:9443;
            proxy_read_timeout  300;
            proxy_ssl_server_name on;
            proxy_ssl_session_reuse off;
            proxy_ssl_verify off;
    }


    location /dsFenicio {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass https://192.168.135.64:8243;
            proxy_read_timeout  300;
            proxy_ssl_server_name on;
            proxy_ssl_session_reuse off;
            proxy_ssl_verify off;
    }

The Problem: When I sent the oauth2 autorization code request (from postman), I received a msg in the browser stating: "Suspicious authentication attempts found Suspicious login attempts found during the authentication process. Please try signing in again"

enter image description here

and this is in the Logs (wso2carbon.log):

ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Exception in Authentication Framework org.ws$wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Session nonce cookie value is not matching for session with sessionDataKey: bf74d0ec-05ef-4682- ...

starball
  • 20,030
  • 7
  • 43
  • 238
Daniel Capone
  • 29
  • 5

1 Answers1

0

This is due to a feature called Session Nonce Cookie Validation which is enabled by default.

I was able to reproduce this scenario and was able to solve this situation while keeping the session nonce cookie validation enabled. The following steps were followed.

  1. Exposed the /commonauth, /authenticationendpoint, /logincontext endpoints through nginx in addition to the /oauth2 endpoint.
  2. Added the following to the deployment.toml
[authentication.endpoints]
login_url="https://<loadbalancer_hostname>/authenticationendpoint/login.do"
retry_url="https://<loadbalancer_hostname>/authenticationendpoint/retry.do"

Without the above steps, you can disable this feature also for your scenario to work. This feature can be disabled by adding the following to the deployment.toml file.

[session.nonce.cookie]
enabled="false"
Hisan Hunais
  • 288
  • 1
  • 3
  • 6