I using WSO2 APIM (API Manager) version 1.9.1 release working on JWT assertion concept. I found some useful links, shown below:
http://sanjeewamalalgoda.blogspot.in/2015/05/use-openid-with-oauth-20-in-wso2-api.html
http://xacmlinfo.org/2015/03/09/openid-connect-support-with-resource-owner-password-grant-type/#comment-21792
I created my own SP (service provide) and created some custom claims their under Claim Configuration and Inbound Authentication Configuration,OAuth/OpenID Connect Configuration
As per link:
curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
It gives us
{"scope":"openid","token_type":"Bearer","expires_in":3600,
"refresh_token":"65af3dbea3294b1524832d3869361e3e",
"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0MzA0NTY4MzM5OTgsImV4cCI6MTQzMDQ2MDQzNDAxNCwic3ViIjoiYWRtaW5AY2FyYm9uLnN1cGVyIiwiYXpwIjoiM1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYSIsImF0X2hhc2giOiJNV013WXpreVl6UmxPVGhsTkRNM01XTTVNVFEyTTJWbE0yWXlNamcwWXc9PSIsImF1ZCI6WyIzUnpEU2tEUjlmZDlzNGpjb3pHbF9WOHRBTklhIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyZW5kcG9pbnRzXC90b2tlbiIsImlhdCI6MTQzMDQ1NjgzNDAxNH0.Fc4DO8A22euo04vnBoE87RVBtDQ-73Z2hNZ8_WpeKslkumhEuUVcf6y03D5HZBlGDUi8zC1SUHewg4WEE8HvI6wA59wp8BErK6pY3Zb02pWbJsPh7VBHwky2g5PtvKSsGiy0rd2tuehY-_dAy7LBKNSUOhkmGdLXkSSThuIQxKOHDAJKHCY4I_36B9OH1scs34EG9MKG4vSNdfdcf4mSg0KUD98Jdw_NS-T4pRZK_sCeT-1BBodYEabEVREHxfcDr7BGYugMiiWThVUzd4WIHD83bVwxXP17POzuo6dS_l78pBWZtBBMPKXqhd9VMNZpc-sR07DS7KkHoV6Fp3l0oA",
"access_token":"1c0c92c4e98e4371c91463ee3f2284c"}
But when we called following we're only getting default user schema details, it's not showing our custom claims in output.
curl -k -v -H "Authorization: Bearer 1c0c92c4e98e4371c91463ee3f2284c" https://localhost:9443/oauth2/userinfo?schema=openid
{
"phone_number":"54326643565",
"email":"mkyong#yahoo.com",
"family_name":"Yong",
"country":"Japan"
}
Why it's not giving anyother custom claims configured with SP? Any help ?
{
"iss":"wso2.org/products/am",
"exp":1391029971429,
"http://wso2.org/claims/subscriber":"admin",
"http://wso2.org/claims/applicationid":"1",
"http://wso2.org/claims/applicationname":"DefaultApplication",
"http://wso2.org/claims/applicationtier":"Unlimited",
"http://wso2.org/claims/apicontext":"/pizzashack/menu",
"http://wso2.org/claims/version":"1.0.0",
"http://wso2.org/claims/tier":"Bronze",
"http://wso2.org/claims/keytype":"PRODUCTION",
"http://wso2.org/claims/usertype":"APPLICATION",
"http://wso2.org/claims/enduser":"admin",
"http://wso2.org/claims/enduserTenantId":"-1234"
}
Basically in api manger after subscribe to application, API Store would register an OAuth subscription automatically. Therefore unnecessary to configure service provider for OAuth subscription.
The custom claim configuration not enabled there in the api-manager.xml by default. Therefore, you must add the configuration parameters to the API authentication handler.
To configure custom dialect copy the following into the <APIM_HOME>/repository/conf/api-manager.xml file under the <APIConsumerAuthentication> tag.
<SecurityContextHeader>X-JWT-Assertion</SecurityContextHeader>
<ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
<ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
<EnableTokenGeneration>true</EnableTokenGeneration>
<TokenGeneratorImpl>org.wso2.carbon.apimgt.impl.token.JWTGenerator</TokenGeneratorImpl>
After configuring custom dialect add new claim mapping.While adding the custom claim mappings select “Supported by Default” ( Supported by Default=true). Once complete go to Home > Configure > Users and Roles > User. Select the user and update the newly added field appear in the user profile. You may see the user details in the JWT.
Refernce -https://docs.wso2.com/display/AM190/Passing+Enduser+Attributes+to+the+Backend+Using+JWT
https://docs.wso2.com/display/IS500/Adding+New+Claim+Mapping
Related
why wso2 api manager 3.2.0 analytics redirect automatically from
https://172.24.64.115:9643/analytics-dashboard/
to
https://localhost:9443/authenticationendpoint/oauth2_error.do?oauthErrorCode=invalid_callback&oauthErrorMsg=Registered+callback+does+not+match+with+the+provided+url.
Also following exception :
Registered callback does not match with the provided url Error
dashboard config :
## Authentication configuration
auth.configs:
type: apim
ssoEnabled: true
properties:
adminScope: apim_analytics:admin_carbon.super
allScopes: apim_analytics:admin openid apim:api_view apim:subscribe apim_analytics:monitoring_dashboard:own apim_analytics:monitoring_dashboard:edit apim_analytics:monitoring_dashboard:view apim_analytics:business_analytics:own apim_analytics:business_analytics:edit apim_analytics:business_analytics:view apim_analytics:api_analytics:own apim_analytics:api_analytics:edit apim_analytics:api_analytics:view apim_analytics:application_analytics:own apim_analytics:application_analytics:edit apim_analytics:application_analytics:view
adminUsername: admin
adminPassword: admin
kmDcrUrl: https://172.24.64.114:9443/client-registration/v0.17/register
kmTokenUrlForRedirection: https://172.24.64.114:9443/oauth2
kmTokenUrl: https://172.24.64.114:9443/oauth2
kmUsername: admin
kmPassword: admin
portalAppContext: analytics-dashboard
businessRulesAppContext : business-rules
cacheTimeout: 30
baseUrl: https://172.24.64.115:9643
grantType: authorization_code
publisherUrl: https://172.24.64.114:9443
devPortalUrl: https://172.24.64.114:9443
externalLogoutUrl: https://172.24.64.114:9443/oidc/logout
The below-mentioned error can happen when the Hostname configured under the baseUrl of the Analytics Dashboard's deployment.yaml is not matching with the Callback URL configured in the API Manager node.
https://localhost:9443/authenticationendpoint/oauth2_error.do?oauthErrorCode=invalid_callback&oauthErrorMsg=Registered+callback+does+not+match+with+the+provided+url.
Perform the following checks and update the Callback URL accordingly to overcome the behavior
Log-in to the API Manager's Carbon Management console with Admin credentials
Go to Service Providers > List > sp_analytics_dashboard and expand the OAuth2/OpenID Configurations and click on Edit
Verify whether the configured Callback URLs are matching with the Hostname and port defined in baseUrl in the deployment.yaml of the Analytics Dashboard. If not, update them.
Once after updating, save the configurations and try the scenario.
I set up WSO2 APIM in my local and added simple HelloWorld API to my local Publisher refer to this link . Then, I created a sub tenant in APIM Management Console. I enabled Subscription Availability for all the tenants refer to this link (I'm sure I enabled because I can see the options in Publisher). I open Devportal. In Tenant Developer Portals list, I select carbon.super (in order to see my HelloWorld API which is created by supertenant admin) and then I sign-in with my subtenant id and password. I created my application and generated key and secret. Then, I subscribed my HelloWorld API which is created by supertenant. Everything seems normal.
I can get JWT tokens for supertenant admin and subtenant admin. Here are curl commands:
curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic N25..."
curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=admin#arda.test&password=12345&scope=openid" -H "Authorization: Basic SjM..."
The problem is, when I try to invoke API with a request includes supertenant admin's token, I can get 200OK response, but when I try to use subtenant admin's JWT token, I get this error response:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>
When I check the logs, I see those:
[2021-06-03 15:42:03,323] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:438) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:418) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:354) [org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:325) [org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
at org.apache.synapse.rest.API.process(API.java:373) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:144) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.identifyAPI(RESTRequestHandler.java:164) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:73) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:331) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:99) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v41.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v183.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:188) [synapse-nhttp-transport_2.1.7.wso2v183.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v41.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:834) [?:?]
The curl command which I used is this:
curl -k -X GET https://localhost:8243/hello/1.0.0 -H "Authorization: Bearer eyJ..."
What is the problem? Is this a bug or what I miss?
If you are using the vanilla pack of APIM 3.2.0 (without wum updates) this is expected. When we released the 3.2.0 version, with the new multiple km architecture, the cross tenant subscription feature was deprecated. It was added to the 3.2.0 again after some time via an wum update. If you have wso2 subscription, the latest wum updated pack has this feature and it is working.
This PR(https://github.com/wso2/carbon-apimgt/pull/9793) adds the feature to the 4.0.0 release.
I am using saltstack state script to create a jar from BitBucket and upload the jar to Artifactory. When uploading to Artifactory I see an authorization error. I am not sure if this is the right approach to achieve the upload to Artifactory.
I tried using CURL to achieve upload. I need to provide -u myUser:myPassword along the CURL command for it to work. I cannot provide the credentials in my salt state scripts. I am looking for a better option to achieve the upload without using login credentials. How to upload artifacts to artifactory using saltstack?
curl -X PUT -T /tmp/Batch.jar http://artifactory/artifactory/Batch.jar
Error:
stdout:
{
\"errors\" : [ {
\"status\" : 401,
\"message\" : \"Unauthorized\"
} ]
}
I've run into this sort of thing a couple of times. The easiest solution is to write a small salt execution module to do this work. This way you can store the artifactory credentials as pillar data and use the normal python requests or salt http helpers to make the web requests.
Looks like salt stack provides a module for artifactory alread: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.artifactory.html
It may not do exactly what you're looking for, but you could definitely extend it: https://github.com/saltstack/salt/blob/develop/salt/modules/artifactory.py
The saltstack docs for writing execution modules can be here:
https://docs.saltstack.com/en/latest/ref/modules/
According to Artifactory documentation, the REST API supports these forms of authentication:
Basic authentication using your username and password
[Simplest] Basic authentication using your username and API Key.
Using a dedicated header (X-JFrog-Art-Api) with your API Key.
Using an access token instead of a password for basic authentication.
[Recommended] Using an access token as a bearer token in an authorization header
(Authorization: Bearer) with your access token.
You will have to choose one of the above.
I want to add roles to users programatically in WSO2 Identity server.
I am able to create users by SCIM API's.But cant find an API to add a user to a role.
I tried giving the user name as "userName":"role/myusername" in the wso2/scim/Users POST API. But its not working ; not sure if its the correct approach.
Can someone tell me how to add a role to an existing user and also add a role to a new user?
Thanks
The answer here shows how to do that with SCIM PUT command.
Also From IS 5.1.0 onwards you can also use the PATCH operation as mentioned in the docs
Add user AMRSNGHE/groupUSR001 to group AMRSNGHE/ngioletGR
curl -k --user admin:admin -X PATCH -d '{"displayName": 'AMRSNGHE/ngioletGR',"members": [{"value":"","display": 'AMRSNGHE/groupUSR001'}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/<id returned in the response when creating the group AMRSNGHE/ngioletGR>
I have tried enabling http authentication to a SOAPInput node in my message flow, however it does not seem to take effect. I don't have to pass any credentials and I still get a reply. These are the steps I have taken:
1.) created a security profile with the following commands:
## Set up the security id
mqsisetdbparms DEV_ESB30_AP01 -n basicSecurityId -u user1 -p testPass1
## Set up the security profile
mqsicreateconfigurableservice DEV_ESB30_AP01 -c SecurityProfiles -o orsSecurityProfile -n "propagation,idToPropagateToTransport,transportPropagationConfig" -v "TRUE,STATIC ID,basicSecurityId"
2.) I set the security profile in the BAR to basicSecurityId
Am I missing something?
Did I define the security profile correctly?
This security profile authenticates correctly when used in a SOAPRequest node, but completely ignored in a SOAPInput node. Thanks for any help you can give.
You need to tell broker how to authenticate by setting and authentication provider in the security profile (ie/ LDAP, WS-TRUST).
The security profile you have posted just tells broker to put the ID in the properties folder, not actually to do anything with it.
Note that is it not currently possible to do both WS-Security and Basic Auth at the same time so if you have a policyset configured basic auth will not work.