Skip to main content

DAPS Server running IDSCP2_example running problem

DAPS Server running IDSCP2_example running problem

IDSCP2_example

Problem ### Problem 1: 400 error code is reported at the beginning of the run.

It should be a request error.
The client_id in the request is not recognized by DAPS Server.

Problem 1:

Run Omejdn-server server locally.
You need to install the Ruby interpreter and build the runtime environment.
Register in Omejdn-server Connector ID to be authenticated
400 error code resolved

Note 1: Both server and client need to be registered, server not registered will return invalid_dat
The following error occurs:
[[17] Unable to process JOSE object (cause: org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively but was 1.): INVALID_DAT]

Note 2: client_credentials must be added to grant_type.
Note 3: scope must be idsc:IDS_CONNECTOR_ATTRIBUTES_ALL
! DAPS Server running IDSCP2_example running problem

Issue 2: localhost certificate expired

The first step in the handshake between server and client is to establish a TLS secure connection, by exchanging certificates and authenticating each other.
An error is reported if the certificate has expired.

Solution 2:

Modify the Host file to include the consumer-core and provider-core local domains.
Use a non-localhost certificate.

Success 2:
Connector server and client can establish a TLS connection.

Problem 3: 500 return code, internal error, in DAPS server filter_scopes, there is a string to int problem.

! DAPS Server running IDSCP2_example running problem

Solution 3:

By looking at ruby's syntax and debugging
Found that there is a problem at resource_owner.attributes[key] when select operates on each element in the array
Since the logic was filtering ranges and returning an array of ranges.
So the logic was rewritten to return the scope directly without filtering it

To be resolved:

Need to look at the original logic to see what was done when filtering, and change it to something that doesn't cause errors.

[[8] Audience (aud) claim [] doesn't contain an acceptable identifier. Expected one of [IDS_Connector, idsc:IDS_CONNECTORS_ALL] as an aud value.

Solution 4:

Rewrite the logic of the DAT returned by DAPS Server:
In the DAPS Server /token endpoint, when 'client_credentials' logic, resources is the last aud returned, directly modify the field first to ['IDS_Connector ']

Not yet resolved:

resources How is this field auto-generated?

! DAPS Server running IDSCP2_example running problem

Issue 5: Issuer in DAT is not the same as the expected issuer

[12] Issuer (iss) claim value (http://localhost:4567) doesn't match expected value of http://localhost]

Solution 5:

Rewrote the value of setExpectedIssuer in jwtConsumer in DAPS_Driver
But according to the dapsMeta.issuer value should be the same, don't know why the error occurs.
! DAPS Server running IDSCP2_example running problem

Problem 6: JWK fetch error

Solution 6:

The reason is that the endpoint path to get the key is wrong, somewhere in IDSCP2-JVM, the path to jwks_endpoint has a /well-knowns added to it, which leads to not getting the key.

Unresolved issue 7: Validating expected certificate fingerprints

The logic is to verify the other party's certificate fingerprint, but there is no logic in DAT to return the certificate
Currently the most direct DAT is returned, which only verifies whether or not the client_id is registered, but does not deploy the public key, which is verified by decrypting the signature, and so does not return the certificate fingerprint.
! DAPS Server running IDSCP2_example running problem