I set up WSO2 APIM in my local and added simple HelloWorld API to my local Publisher refer to this link . Then, I created a sub tenant in APIM Management Console. I enabled Subscription Availability for all the tenants refer to this link (I'm sure I enabled because I can see the options in Publisher). I open Devportal. In Tenant Developer Portals list, I select carbon.super (in order to see my HelloWorld API which is created by supertenant admin) and then I sign-in with my subtenant id and password. I created my application and generated key and secret. Then, I subscribed my HelloWorld API which is created by supertenant. Everything seems normal.
I can get JWT tokens for supertenant admin and subtenant admin. Here are curl commands:
curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic N25..."
curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=admin#arda.test&password=12345&scope=openid" -H "Authorization: Basic SjM..."
The problem is, when I try to invoke API with a request includes supertenant admin's token, I can get 200OK response, but when I try to use subtenant admin's JWT token, I get this error response:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>
When I check the logs, I see those:
[2021-06-03 15:42:03,323] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:438) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:418) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:354) [org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:325) [org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.apache.synapse.rest.API.process(API.java:373) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:144) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.identifyAPI(RESTRequestHandler.java:164) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:73) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:331) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:99) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v41.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v183.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:188) [synapse-nhttp-transport_2.1.7.wso2v183.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v41.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:834) [?:?]
The curl command which I used is this:
curl -k -X GET https://localhost:8243/hello/1.0.0 -H "Authorization: Bearer eyJ..."
What is the problem? Is this a bug or what I miss?
If you are using the vanilla pack of APIM 3.2.0 (without wum updates) this is expected. When we released the 3.2.0 version, with the new multiple km architecture, the cross tenant subscription feature was deprecated. It was added to the 3.2.0 again after some time via an wum update. If you have wso2 subscription, the latest wum updated pack has this feature and it is working.
This PR(https://github.com/wso2/carbon-apimgt/pull/9793) adds the feature to the 4.0.0 release.
Related
i am using api manager 3.1.0 , i have configured web socket in api publisher , i m trying to access wss and ws . the problem is unable to access wss secure socket-.wss://localhost:8099/Notification/v1?access_token=xxx123 .
but i am able to access ws://localhost:9099/Notification/v1?access_token=xxx123.
can you please guide me, what i have to do configure to access wss,
please refer the screen clip shows unable to verify the first certificate.
enter image description here
enter image description here
Please use the command given in documentation [1] for wss://. I'll post the sample command here. I think you have missed '-n' in the command.
wscat -n -c wss://localhost:8099/echowebsocket/1.0.0 -H "Authorization: Bearer [accesstoken]"
[1] https://apim.docs.wso2.com/en/latest/learn/tutorials/create-and-publish-websocket-api/#step-3-invoke-a-websocket-api
I want to add roles to users programatically in WSO2 Identity server.
I am able to create users by SCIM API's.But cant find an API to add a user to a role.
I tried giving the user name as "userName":"role/myusername" in the wso2/scim/Users POST API. But its not working ; not sure if its the correct approach.
Can someone tell me how to add a role to an existing user and also add a role to a new user?
Thanks
The answer here shows how to do that with SCIM PUT command.
Also From IS 5.1.0 onwards you can also use the PATCH operation as mentioned in the docs
Add user AMRSNGHE/groupUSR001 to group AMRSNGHE/ngioletGR
curl -k --user admin:admin -X PATCH -d '{"displayName": 'AMRSNGHE/ngioletGR',"members": [{"value":"","display": 'AMRSNGHE/groupUSR001'}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/<id returned in the response when creating the group AMRSNGHE/ngioletGR>
I using WSO2 APIM (API Manager) version 1.9.1 release working on JWT assertion concept. I found some useful links, shown below:
http://sanjeewamalalgoda.blogspot.in/2015/05/use-openid-with-oauth-20-in-wso2-api.html
http://xacmlinfo.org/2015/03/09/openid-connect-support-with-resource-owner-password-grant-type/#comment-21792
I created my own SP (service provide) and created some custom claims their under Claim Configuration and Inbound Authentication Configuration,OAuth/OpenID Connect Configuration
As per link:
curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
It gives us
{"scope":"openid","token_type":"Bearer","expires_in":3600,
"refresh_token":"65af3dbea3294b1524832d3869361e3e",
"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0MzA0NTY4MzM5OTgsImV4cCI6MTQzMDQ2MDQzNDAxNCwic3ViIjoiYWRtaW5AY2FyYm9uLnN1cGVyIiwiYXpwIjoiM1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYSIsImF0X2hhc2giOiJNV013WXpreVl6UmxPVGhsTkRNM01XTTVNVFEyTTJWbE0yWXlNamcwWXc9PSIsImF1ZCI6WyIzUnpEU2tEUjlmZDlzNGpjb3pHbF9WOHRBTklhIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyZW5kcG9pbnRzXC90b2tlbiIsImlhdCI6MTQzMDQ1NjgzNDAxNH0.Fc4DO8A22euo04vnBoE87RVBtDQ-73Z2hNZ8_WpeKslkumhEuUVcf6y03D5HZBlGDUi8zC1SUHewg4WEE8HvI6wA59wp8BErK6pY3Zb02pWbJsPh7VBHwky2g5PtvKSsGiy0rd2tuehY-_dAy7LBKNSUOhkmGdLXkSSThuIQxKOHDAJKHCY4I_36B9OH1scs34EG9MKG4vSNdfdcf4mSg0KUD98Jdw_NS-T4pRZK_sCeT-1BBodYEabEVREHxfcDr7BGYugMiiWThVUzd4WIHD83bVwxXP17POzuo6dS_l78pBWZtBBMPKXqhd9VMNZpc-sR07DS7KkHoV6Fp3l0oA",
"access_token":"1c0c92c4e98e4371c91463ee3f2284c"}
But when we called following we're only getting default user schema details, it's not showing our custom claims in output.
curl -k -v -H "Authorization: Bearer 1c0c92c4e98e4371c91463ee3f2284c" https://localhost:9443/oauth2/userinfo?schema=openid
{
"phone_number":"54326643565",
"email":"mkyong#yahoo.com",
"family_name":"Yong",
"country":"Japan"
}
Why it's not giving anyother custom claims configured with SP? Any help ?
{
"iss":"wso2.org/products/am",
"exp":1391029971429,
"http://wso2.org/claims/subscriber":"admin",
"http://wso2.org/claims/applicationid":"1",
"http://wso2.org/claims/applicationname":"DefaultApplication",
"http://wso2.org/claims/applicationtier":"Unlimited",
"http://wso2.org/claims/apicontext":"/pizzashack/menu",
"http://wso2.org/claims/version":"1.0.0",
"http://wso2.org/claims/tier":"Bronze",
"http://wso2.org/claims/keytype":"PRODUCTION",
"http://wso2.org/claims/usertype":"APPLICATION",
"http://wso2.org/claims/enduser":"admin",
"http://wso2.org/claims/enduserTenantId":"-1234"
}
Basically in api manger after subscribe to application, API Store would register an OAuth subscription automatically. Therefore unnecessary to configure service provider for OAuth subscription.
The custom claim configuration not enabled there in the api-manager.xml by default. Therefore, you must add the configuration parameters to the API authentication handler.
To configure custom dialect copy the following into the <APIM_HOME>/repository/conf/api-manager.xml file under the <APIConsumerAuthentication> tag.
<SecurityContextHeader>X-JWT-Assertion</SecurityContextHeader>
<ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
<ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
<EnableTokenGeneration>true</EnableTokenGeneration>
<TokenGeneratorImpl>org.wso2.carbon.apimgt.impl.token.JWTGenerator</TokenGeneratorImpl>
After configuring custom dialect add new claim mapping.While adding the custom claim mappings select “Supported by Default” ( Supported by Default=true). Once complete go to Home > Configure > Users and Roles > User. Select the user and update the newly added field appear in the user profile. You may see the user details in the JWT.
Refernce -https://docs.wso2.com/display/AM190/Passing+Enduser+Attributes+to+the+Backend+Using+JWT
https://docs.wso2.com/display/IS500/Adding+New+Claim+Mapping
I am trying to write a standalone program to access Azure Resource group details using Azure resource manager .Net library. As the per the documentation it requires Azure AD authentication and token in every resource manager request. So i created a web app in AD and configured secret key and using it to generate token.
But below code is failing even though I pass this token as bearer in request.
m_resourceClient = new ResourceManagementClient(connection.GetCredentials());
m_resourceClient.HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("bearer", connection.GetAccessToken());
***ResourceGroupGetResult resourceGroupList = m_resourceClient.ResourceGroups.Get("PraveenTest")*** ;
Error message:
AuthorizationFailed: The client '5919f7f9-####-####-####-074456eba98c' with object id '5919f7f9-####-####-####-074456eba98c' does not have authorization to perform action
'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/1f94c869-####-####-####-055e8ae15be3/resourcegroups/TestGroup'.
Your bearer token is valid, but you also need to grant your application access to the resource group.
You can do this with the following PowerShell command:
New-AzureRmRoleAssignment
-ObjectId '5919f7f9-####-####-####-074456eba98c' `
-ResourceGroupName TestGroup `
-RoleDefinitionName Reader
If you're using an Azure PowerShell version < 1.0, then the cmdlet is New-AzureRoleAssignment.
I'd recommend Dushyant Gill's blog post on authenticating ARM requests.
I have tried enabling http authentication to a SOAPInput node in my message flow, however it does not seem to take effect. I don't have to pass any credentials and I still get a reply. These are the steps I have taken:
1.) created a security profile with the following commands:
## Set up the security id
mqsisetdbparms DEV_ESB30_AP01 -n basicSecurityId -u user1 -p testPass1
## Set up the security profile
mqsicreateconfigurableservice DEV_ESB30_AP01 -c SecurityProfiles -o orsSecurityProfile -n "propagation,idToPropagateToTransport,transportPropagationConfig" -v "TRUE,STATIC ID,basicSecurityId"
2.) I set the security profile in the BAR to basicSecurityId
Am I missing something?
Did I define the security profile correctly?
This security profile authenticates correctly when used in a SOAPRequest node, but completely ignored in a SOAPInput node. Thanks for any help you can give.
You need to tell broker how to authenticate by setting and authentication provider in the security profile (ie/ LDAP, WS-TRUST).
The security profile you have posted just tells broker to put the ID in the properties folder, not actually to do anything with it.
Note that is it not currently possible to do both WS-Security and Basic Auth at the same time so if you have a policyset configured basic auth will not work.