Hi Thomas, Ok, That means you have configured secondary user store correctly and its ready for authentication. When you call the token endpoint of the API manager, that API calls the API of the IS to create the access token (If you have properly configured IS as a Keymanager), then authentication happens on IS and not in the APIM.
Can you do following and share the result with us 1. Check with a user which exists in the primary user store. (Hope you have shared primary user store between APIM and IS) 2. I doubt you have configured the IS as a Keymanager configuration correctly. Can you add the following line to <IS_HOME>/conf/log4j.properties and <APIM_HOME>/conf/log4j.properties just after the "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute above curl command and send the wso2carbon.log (located in <CARBON_HOME>/repository/logs) on both servers? log4j.logger.org.wso2.carbon.user.core=DEBUG Thanks Godwin On Thu, Jan 18, 2018 at 3:17 PM, Thomas LEGRAND < [email protected]> wrote: > Hello everybody, > > First, thank you for all of your answers :) > > Then, here is a screenshot of the users list in the **IS**, where we can > see that I have a user (versusmind) stored in a secondary user store (with > the domain RGPD) : > > [image: Images intégrées 1] > Then, I tried to execute the following cUrl commands but I have the same > error as before. It is like the APIM cannot "access" to the user in the > secondary user store of the IS (which seems to be logic because only the > primary user store is shared between the APIM and the IS) : > > curl -v -X POST --basic -u > Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa > \ > -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \ > -k -d "grant_type=password&username=RGPD/versusmind&password=versusmind" > \ > https://40.118.24.155:8243/token > > or > > curl -v -X POST --basic -u > Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa > \ > -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \ > -k -d "grant_type=password&username=versusmind&password=versusmind" \ > https://40.118.24.155:8243/token > > Regards, > > Thomas > > > 2018-01-18 8:19 GMT+01:00 Godwin Shrimal <[email protected]>: > >> Yes, So Thomas's issue should be something different since he has used >> correct format of a request(Without using user store domain). >> >> @Thomas: Can you login to IS Management console and check secondary user >> store's users are listing under Users & Roles->List-> Users? >> >> Thanks >> Godwin >> >> On Thu, Jan 18, 2018 at 2:05 PM, Sathya Bandara <[email protected]> wrote: >> >>> Hi, >>> >>> On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal <[email protected]> >>> wrote: >>> >>>> Hi Sathya, >>>> >>>> Ideally, user should get authenticated even you send without user store >>>> domain. right? >>>> >>> >>> Yes. user gets authenticated without the user store domain. If the user >>> is in super tenant domain(carbon.super), we can discard the tenant domain >>> as well. >>> >>>> >>>> >>>> Thanks >>>> Godwin >>>> >>>> >>>> On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara <[email protected]> >>>> wrote: >>>> >>>>> Hi Thomas, >>>>> >>>>> Can you try with the following curl command. >>>>> >>>>> curl -v -X POST --basic -u <client_id>:<client_secret> -H >>>>> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d >>>>> "grant_type=password&username=<userstore_domain>/[email protected]&password=admin" >>>>> https://localhost:8243/token >>>>> >>>>> [1] https://docs.wso2.com/display/AM210/Password+Grant >>>>> >>>>> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND < >>>>> [email protected]> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> I configured the Identity Server (IS) to be the Key Manager of the >>>>>> API Manager (APIM). In the IS, I configured a secondary user store where >>>>>> I >>>>>> will have my users of my applications. But, I think I missed something >>>>>> because when I want to generate a OAuth token for a user stored in this >>>>>> secondary user store, I have an error: >>>>>> >>>>>> My request: >>>>>> >>>>>> curl -k -d "grant_type=password&username= >>>>>> <USR_NAME>&password=<USR_PASSWD>" -H "Authorization: Basic >>>>>> <BASE64_KEY_SECRET_COUPLE>" https://apim:8243/token >>>>>> >>>>>> The response: >>>>>> >>>>>> {"error_description":"Authentication failed for >>>>>> <USR_NAME>@carbon.super","error":"invalid_grant"}. >>>>>> >>>>>> In the application in the store of the APIM, "Password" is ticked so >>>>>> the grant_type is right. >>>>>> And I tried with the following pattern for the <USR_NAME>: >>>>>> - <USR_NAME> >>>>>> - <DOMAIN>/<USR_NAME> >>>>>> - <DOMAIN>\<USR_NAME> >>>>>> >>>>>> Can you help me? How can I ensure that the APIM uses all of the user >>>>>> stores from the IS. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Thomas >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Sathya Bandara >>>>> Software Engineer >>>>> WSO2 Inc. http://wso2.com >>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>> >>>>> <+94%2071%20411%205032> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Godwin Amila Shrimal* >>>> Associate Technical Lead >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: *+94772264165* >>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>> twitter: https://twitter.com/godwinamila >>>> <http://wso2.com/signature> >>>> >>> >>> >>> >>> -- >>> Sathya Bandara >>> Software Engineer >>> WSO2 Inc. http://wso2.com >>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>> >>> <+94%2071%20411%205032> >>> >> >> >> >> -- >> *Godwin Amila Shrimal* >> Associate Technical Lead >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> >> mobile: *+94772264165* >> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >> twitter: https://twitter.com/godwinamila >> <http://wso2.com/signature> >> > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Godwin Amila Shrimal* Associate Technical Lead WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: *+94772264165* linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ <https://www.linkedin.com/in/godwin-amila-2ba26844/>* twitter: https://twitter.com/godwinamila <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
