Federated authentication fails between two tenants in a host name changed IS

[AnuradhaSK]

Describe the issue:

1. Change the hostname of the IS following the option 1 mentioned in https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/

Add localhost as SAN for the certificate (-ext SAN=dns:localhost) as the internal hostname is by default localhost. For that, navigate to the <IS_HOME>/repository/resources/security directory on the command prompt and use the following command to create a new keystore with CN=is.dev.wso2.com and localhost as SAN.

2. Enable the following debug logs in the log4j2.properties file

logger.org-wso2-carbon-identity-application-authentication-framework.name=org.wso2.carbon.identity.application.authentication.framework
logger.org-wso2-carbon-identity-application-authentication-framework.level=DEBUG

logger.org-wso2-carbon-identity-oauth2.name=org.wso2.carbon.identity.oauth2
logger.org-wso2-carbon-identity-oauth2.level=DEBUG

3. Create a service provider in super tenant and configure using oauth2/oidc inbound protocol
4. Create another tenant and configure that tenant as an oauth/oidc IDP in the super tenant
5. Plugged the IDP as a login option to the created SP
6. Try login via federated IDP. The authentication will be failed with the following error

[2023-07-05 00:09:47,564] [6072d332-6c72-4c9f-9f9b-d27d5c0563e1] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authentication failed exception! org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: java.io.IOException: HTTPS hostname wrong:  should be <is.dev.wso2.com>
	at org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:881)
	at org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.requestAccessToken(OpenIDConnectAuthenticator.java:622)
	at org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.processAuthenticationResponse(OpenIDConnectAuthenticator.java:490)
	at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:100)
	at org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.process(OpenIDConnectAuthenticator.java:131)
	at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:688)
	at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:657)
	at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:242)
	at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:220)
	at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handle(GraphBasedSequenceHandler.java:118)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:198)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:346)
	at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doPost(CommonAuthenticationHandler.java:57)
	at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doGet(CommonAuthenticationHandler.java:46)
	at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doGet(CommonAuthenticationServlet.java:48)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
	at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119)
	at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115)
	at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38)
	at org.wso2.carbon.identity.cors.valve.CORSValve.invoke(CORSValve.java:83)
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:167)
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:120)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:110)
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:71)
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63)
	at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
	at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1735)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.apache.oltu.oauth2.common.exception.OAuthSystemException: java.io.IOException: HTTPS hostname wrong:  should be <is.dev.wso2.com>
	at org.apache.oltu.oauth2.client.URLConnectionClient.execute(URLConnectionClient.java:108)
	at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:65)
	at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:55)
	at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:71)
	at org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:875)
	... 66 more
Caused by: java.io.IOException: HTTPS hostname wrong:  should be <is.dev.wso2.com>
	at java.base/sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:653)
	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:586)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:201)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1367)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1342)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:246)
	at org.apache.oltu.oauth2.client.URLConnectionClient.execute(URLConnectionClient.java:85)
	... 70 more

[2023-07-05 00:09:47,579] [6072d332-6c72-4c9f-9f9b-d27d5c0563e1] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authentication failed exception! java.io.IOException: HTTPS hostname wrong:  should be <is.dev.wso2.com>

Screencast.from.2023-07-05.00.05.07.webm

Cause for the issue:

• If the certificate used for SSL communication has a cert, the hostname is checked in the defined SANs. https://stackoverflow.com/questions/5935369/how-do-common-names-cn-and-subject-alternative-names-san-work-together
• If the following is used to generate the cert it worked. added is.dev.wso2.com also as a SAN

keytool -genkey -alias newcert -keyalg RSA -keysize 2048 -keystore newkeystore.jks -dname "CN=is.dev.wso2.com, OU=Is,O=Wso2,L=SL,S=WS,C=LK" -storepass mypassword -keypass mypassword -ext SAN=dns:localhost,dns:is.dev.wso2.com

• Need to verify whether localhost is required as a SAN. Ideally, localhost should not require hostname verification https://is.docs.wso2.com/en/latest/deploy/enable-hostname-verification/#configure-hostname-verification. Verify the flows which use the internal hostname . eg: https://stackoverflow.com/questions/65291179/self-register-doesnt-work-in-wso2is-5-11-0-after-self-signed-certificate-setup

Need to update the documentation properly.

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: IS-6.2.0-alpha4-snapshot

[LakshiAthapaththu]

Following behaviours were observed while analysing the above flows.

• The given flow is working as expected after adding is.dev.wso2.com also as a SAN (as suggested).
• Self registration flow which uses the internal hostname failed after removing the localhost from SAN.
• When there is no SAN federated authentication between two tenants flow (reported flow) works and issue does not get reproduced.

Therefore, as per the current implementation both localhost and is.dev.wso2.com are required in SAN.

[LakshiAthapaththu]

As per the analysis when there is no SAN, the reported issue is not reproducible.

A fix for self registration flow does not work without localhost issue will be fixes in WSO2 IS 6.2 with wso2/carbon-kernel#3610 and wso2/carbon-identity-framework#4794. With that all the flows will work with following command (no SAN required).

keytool -genkey -alias newcert -keyalg RSA -keysize 2048 -keystore newkeystore.jks -dname "CN=is.dev.wso2.com, OU=Is,O=Wso2,L=SL,S=WS,C=LK" -storepass mypassword -keypass mypassword

Therefore, the doc for WSO2 IS 6.2 should be updated as in #16255

For the existing implementation to work without any issue, current documentation should be updated as in #16215

[LakshiAthapaththu]

Verified the flow.
Need to complete the document issue in #16255