-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add certificate for Cura Aalborg Udd environment #36
Conversation
add test certificate for Cura Aalborg Udd environment
This is a request for an additional client for the test environment, correct? We are experiencing some issues with our deployment pipeline, but we will add this as soon as possible. |
yes this is so that Aalborg can test by themselves on one of their test environments. |
Sure, the I will let you know when it is available |
Client is now available on the test environment |
when using this, we get an error code 400, with response {"error":"invalid_client","error_description":"Unable to load public key"} from the gateway keycloak, can you double check that it has been added to the environment and that there is no typo in the client id |
@aonsystematic this is most likely caused by giving an invalid |
I just verified the request body, and the kid is the same as the one you have posted, so that is not the issue. EDIT: turns out there were some mix and matching, with client_ids, which I just found. However we know get an even less descriptive error: |
@aonsystematic I see |
so is that an issue with our service agreement? It still works when we use our other client. |
That's hard to say. You can compare your assertion to this assertion (signature redacted), to see if something seems off: <?xml version="1.0" encoding="UTF-8"?>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7df071e6-b49f-4a9f-a0a3-921cb90eec5e"
IssueInstant="2022-05-23T08:06:15.361Z" Version="2.0">
<Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://saml.adgangsstyring.eksterntest-stoettesystemerne.dk
</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_7df071e6-b49f-4a9f-a0a3-921cb90eec5e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>PlAQFv5vFM/F07diWiGGr1OgJB/G2iaHYj3R8B1Xsgs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
REDACTED
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIGHTCCBQWgAwIBAgIEXgiTCTANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMTA2MDgwNzA3MDNaFw0yNDA2MDgwNzA2MzVaMIGQMQswCQYDVQQGEwJESzEjMCEGA1UECgwaS09NQklUIEEvUyAvLyBDVlI6MTk0MzUwNzUxXDAgBgNVBAUTGUNWUjoxOTQzNTA3NS1GSUQ6NjA0OTI3ODgwOAYDVQQDDDF0ZXN0LWVrc3Rlcm4tYWRnYW5nc3N0eXJpbmcgKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnEbT2230TEC+ZnAgOWwAaBtoSjOszdaMBxcl1WCCfv8Rc5NFMp1FT68rexN9/k1GcTNWREPLSjEh9RUtQ5QHrEDUYDv3g/lL2YSKaVuY7YiqMn+Ei81tgKWO9N5P1UNdeLW0+5DjNSO++CC33B0AElXXVI9YhQFnSR6qTZsYPQnsD/J6FA41RMyizfk5MFmFurYn06nw9CkW3CtY5T3+FU4q55gIOiwSGplHm5emeFEyxMkXtQBaoRXpgOeSqJJ1r2GYkK3gk/1DGk/s2CKc1wPlhhU9vJOV0cNyyJ/wvUscWjjrgT5UgLX2OK3lZUiQ72W7DMgExOcKTxbvKjP+YwIDAQABo4ICzDCCAsgwDgYDVR0PAQH/BAQDAgO4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vZi5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBBAMwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZcGA1UdHwSBjzCBjDAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBaoFigVqRUMFIxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMRAwDgYDVQQDDAdDUkwzMDgzMB8GA1UdIwQYMBaAFFy7dWIWMpmqNqC4mvtvpwxf8ArVMB0GA1UdDgQWBBR2bXVUcWt5i4zO9J9kpBrq5fJufDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBQ015R55ZZ+83w+eR/CNfZx9ykOKHqf70bOpM9yu7UxG2teAAE+4xA8Zt/F/SPbtLbxAZLkSBevmX4oVVYtNn6C0HrS8V/Gt65rS7VxEI/vBttD0EOOvwxJPW61wM4f5EXY84XZPzL9UY3ErjhDvz3W6trxYNp5wS1V4x85SI8WCesNXjryMHphPakK252IOTXvuybGNjyVwQL3DGI9i/DcOxzIPi0CaBlBEVUTvggR9E7v4P/YpxvQyrerqtEfy8PIJ/a2lysCyoMeeg0TTq5A51BK25SlWzo0muyJ7tbKuRLkPfGtuSq8uGfBBVyouNl4/nH0QDoU9mHDP17gSZZ
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
SERIALNUMBER=CVR:20921897-FID:16356883 + CN=klg_demo_anvendersystem (funktionscertifikat), O=TRIFORK A/S //
CVR:20921897, C=DK
</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<SubjectConfirmationData xmlns:a="http://www.w3.org/2001/XMLSchema-instance"
NotBefore="2022-05-23T08:06:15.361Z" NotOnOrAfter="2022-05-23T16:06:15.361Z"
Recipient="http://ehealth.sundhed.dk/service/CareGateway/1"
a:type="KeyInfoConfirmationDataType">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
MIIGJDCCBQygAwIBAgIEX6FtNzANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSYwJAYDVQQDDB1UUlVTVDI0MDggU3lzdGVtdGVzdCBYWFhJViBDQTAeFw0yMjAxMTgxMTMzMjhaFw0yNTAxMTgxMTMyNDNaMIGNMQswCQYDVQQGEwJESzEkMCIGA1UECgwbVFJJRk9SSyBBL1MgLy8gQ1ZSOjIwOTIxODk3MVgwIAYDVQQFExlDVlI6MjA5MjE4OTctRklEOjE2MzU2ODgzMDQGA1UEAwwta2xnX2RlbW9fYW52ZW5kZXJzeXN0ZW0gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApigrkAudmmzfafoDlkWLgVVKykxJqVYnPSB0XyezfszKc6fEi8n3W0pYBj+jCeOiUDPAnw8B/IUvUNlL0WYxOlNKmyoQyDpMllibNNQJXwziG8EsyaCmrmaqgZEM8ai6NbPgKyJZ7w45oN4s25ud53ByR0P3caihr6I7O4kNd8H7ndnJaBSQ4xY1Pgq6zzrgLc0FpSKwCbpTGUic2R346vpfeu0MhnpNbCATvxlcxui/zsnS2MymcccPNgze/J3oKXBmlRYsquYhrxAz1AM6e/FmDiHWbCXj1T3XFZ5HlNjM3X1IEGv59pDrjw1XrjCRQpM0S+3ybP5dBzVbdLbCWwIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDM0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDM0LnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDM0LWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAzCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMy4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMy4wga0GA1UdHwSBpTCBojA8oDqgOIY2aHR0cDovL2NybC5zeXN0ZW10ZXN0MzQudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MzQuY3JsMGKgYKBepFwwWjELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODEmMCQGA1UEAwwdVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhYSVYgQ0ExDzANBgNVBAMMBkNSTDM3NDAfBgNVHSMEGDAWgBTNbGiXOXIZpDWrZOr0EaOBh/hpOzAdBgNVHQ4EFgQUeB4eWR1NqwJeJuWgdVoJEf9j+rEwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAYKhnkEHiVl0k7qnwsSjVUubllvvYUcG5bg6vTqwG3Yw+/sHLOUy11h9RBco67a9VBy11ZG0U1Rk9IQrTjq3qu9rQaUNieisvUVluuJ3KN/cvBwyAHO4UnayAwmdqGPUMFetyMUlo5uMPx/sjuJoXMkUXfWXk2HUwNaXjkqt5q6zm5I+xg+pnNYBvsndV/igh6zuiygCl68q3AL1Zt56F5hUxWW5W1nd5EvjcTPZ/O2zoX6vFPlaec4LjD9TmVZIU8z/JqFWHM0kM6adIRmXKO2VK4SlzL8joJ4GmevkwDJSD/Wctd8dxmOBf0Y1b2Zrd6OEEwXFsrFpFVGNvY4DfKQ==
</X509Certificate>
</X509Data>
</KeyInfo>
</SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2022-05-23T08:06:15.361Z" NotOnOrAfter="2022-05-23T16:06:15.361Z">
<AudienceRestriction>
<Audience>http://ehealth.sundhed.dk/service/CareGateway/1</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="dk:gov:saml:attribute:CvrNumberIdentifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>29189366</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:AssuranceLevel"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>3</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>DK-SAML-2.0</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:KombitSpecVer"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>1.0</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:Privileges_intermediate"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48YnBwOlByaXZpbGVnZUxpc3QgeG1sbnM6YnBwPSJodHRwOi8vaXRzdC5kay9vaW9zYW1sL2Jhc2ljX3ByaXZpbGVnZV9wcm9maWxlIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48UHJpdmlsZWdlR3JvdXAgU2NvcGU9InVybjpkazpnb3Y6c2FtbDpjdnJOdW1iZXJJZGVudGlmaWVyOjI5MTg5MzY2Ij48UHJpdmlsZWdlPmh0dHA6Ly9laGVhbHRoLnN1bmRoZWQuZGsvcm9sZXMvc2VydmljZXN5c3RlbXJvbGUvY2FyZV9kZWxpdmVyeV9yZXBvcnRlcl9zeXN0ZW0vMTwvUHJpdmlsZWdlPjwvUHJpdmlsZWdlR3JvdXA+PC9icHA6UHJpdmlsZWdlTGlzdD4=
</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2022-05-23T08:06:15.361Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
|
I cannot find any notable differences from our assertion, maybe there is something you can see that I cannot?
|
@aonsystematic it also looks good to me. I would suggest going through each parameter in the token request to double check that everything is correct, that is:
|
I'm unable to see any issues there either. Here it is:
EDIT: I looked into the |
@aonsystematic yes maybe that warning is a false flag. I have been able to reproduce the error by omitting the client id from the request, but we have already checked the request. I'm assuming that you are using the same implementation for both clients? |
I've been asked to move this discussion to an issue instead of the pull request, so here it is:#38 I also mention it there, but the implementation is infact the same, for both clients |
add test certificate for Cura Aalborg Udd environment