Great to hear you could resolve the issue :) Thanks Godwin
On Jan 18, 2018 8:39 PM, "Thomas LEGRAND" <[email protected]> wrote: > Hello Godwin, > > Thank you for the directions. But I found out that the hostname of the IS > was bound to the wrong IP in my hosts file. It is awkward :s > > Regards, > > Thomas > > 2018-01-18 14:25 GMT+01:00 Godwin Shrimal <[email protected]>: > >> Hi Thomas, >> >> Ok, When you send a request to token API in the APIM, it should call the >> oauth2 token API of the IS (if you have configured IS as a Keymanager >> correctly), So according to the behaviour (with the given information), >> there is something wrong with your Keymanager related configurations in >> APIM. I don't see any issues in the api-manager.xml configs you have >> shared. >> >> Can you archive and attach conf directory of both IS and APIM? >> (<CARBON_HOME>/repository/conf) >> >> Thanks >> Godwin >> >> On Thu, Jan 18, 2018 at 7:54 PM, Thomas LEGRAND < >> [email protected]> wrote: >> >>> Hello Godwin, >>> >>> For you first point: >>> >>> I created a user from the IS console in the primary user store. I can >>> see it from the AM console. Then I tried with cUrl to generate a OAuth >>> token for this user and that works: >>> >>> curl -v --basic -u Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >>> -k -d "grant_type=password&username=toto&password=toto1" >>> https://apim:8243/token >>> >>> 100 216 0 168 100 48 168 48 0:00:01 --:--:-- >>>> 0:00:01 281{"access_token":"5e2f6f0b-1d98-3a6a-986a-ae29a6a80b75","r >>>> efresh_token":"00302aab-5e00-3261-a787-bd97529ccc41","scope" >>>> :"default","token_type":"Bearer","expires_in":3600} >>>> >>> >>> >>> For you second point: >>> >>> I have those messages on the APIM side: >>> >>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,568] >>>> DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role >>>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] >>>> DEBUG - JDBCAuthorizationManager Allowed roles for the ResourceID: >>>> /_system/governance/repository/components/org.wso2.carbon.al >>>> l-themes/default/images/is-header-bg.png Action: >>>> http://www.wso2.org/projects/registry/actions/get >>>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] >>>> DEBUG - JDBCAuthorizationManager role: INTERNAL/everyone >>>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,596] >>>> DEBUG - JDBCAuthorizationManager role: admin >>>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,597] >>>> DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role >>>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,129] >>>> DEBUG - JDBCUserStoreManager SELECT * FROM UM_USER WHERE >>>> LOWER(UM_USER_NAME)=LOWER(?) AND UM_TENANT_ID=? >>>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,140] >>>> DEBUG - JDBCUserStoreManager User versusmind login attempt. Login success >>>> :: false >>>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,141] >>>> DEBUG - AbstractUserStoreManager Authentication failure. Wrong username or >>>> password is provided. >>>> >>> >>> >>> But none on the IS side. So it is like the AM does not request the IS to >>> be sure that the user is known by the IS. >>> >>> In the api-manager.xml configuration file on the APIM side, I have: >>> >>> <AuthManager> >>> <!-- >>> Server URL of the Authentication service >>> --> >>> <!--ServerURL>https://${carbon.local.ip}:${mgt.transport.htt >>> ps.port}${carbon.context}services/</ServerURL--> >>> <ServerURL>https://is:9443/services/</ServerURL> >>> >>> <!-- >>> Admin username for the Authentication manager. >>> --> >>> <Username>admin</Username> >>> <!-- >>> Admin password for the Authentication manager. >>> --> >>> <Password>admin</Password> >>> <!-- >>> Indicates whether the permissions checking of the user (on >>> the Publisher and Store) should be done >>> via a remote service. The check will be done on the local >>> server when false. >>> --> >>> <CheckPermissionsRemotely>true</CheckPermissionsRemotely> >>> </AuthManager> >>> >>> And >>> >>> <APIKeyValidator> >>> <!-- >>> Server URL of the API key manager >>> --> >>> <!--ServerURL>https://${carbon.local.ip}:${mgt.transport.htt >>> ps.port}${carbon.context}services/</ServerURLi--> >>> <ServerURL>https://is:9443/services/</ServerURL> >>> >>> <!-- >>> Admin username for API key manager. >>> --> >>> <Username>${admin.username}</Username> >>> >>> <!-- >>> Admin password for API key manager. >>> --> >>> <Password>${admin.password}</Password> >>> >>> <!-- Configurations related to enable thrift support for >>> key-management related communication. >>> If you want to switch back to Web Service Client, change >>> the value of "KeyValidatorClientType" to "WSClient". >>> In a distributed environment; >>> -If you are at the Gateway node, you need to point >>> "ThriftClientPort" value to the "ThriftServerPort" value given at >>> KeyManager node. >>> -If you need to start two API Manager instances in the same >>> machine, you need to give different ports to "ThriftServerPort" value in >>> two nodes. >>> -ThriftServerHost - Allows to configure a hostname for the >>> thrift server. It uses the carbon hostname by default. >>> -The Gateway uses this parameter to connect to the key >>> validation thrift service. --> >>> <!--KeyValidatorClientType>ThriftClient</KeyValidatorClientT >>> ype--> >>> <KeyValidatorClientType>WSClient</KeyValidatorClientType> >>> <ThriftClientConnectionTimeOut>10000</ThriftClientConnection >>> TimeOut> >>> <!--ThriftClientPort>10397</ThriftClientPort--> >>> >>> <!--EnableThriftServer>true</EnableThriftServer--> >>> <EnableThriftServer>false</EnableThriftServer> >>> <ThriftServerHost>localhost</ThriftServerHost> >>> <!--ThriftServerPort>10397</ThriftServerPort--> >>> >>> <!--ConnectionPool> >>> <MaxIdle>100</MaxIdle> >>> <InitIdleCapacity>50</InitIdleCapacity> >>> </ConnectionPool--> >>> <!-- Specifies the implementation to be used for >>> KeyValidationHandler. Steps for validating a token can be controlled by >>> plugging in a >>> custom KeyValidation Handler --> >>> >>> <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt >>> .handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName> >>> >>> </APIKeyValidator> >>> >>> 2018-01-18 11:30 GMT+01:00 Godwin Shrimal <[email protected]>: >>> >>>> Hi Thomas, >>>> >>>> Ok, That means you have configured secondary user store correctly and >>>> its ready for authentication. When you call the token endpoint of the API >>>> manager, that API calls the API of the IS to create the access token (If >>>> you have properly configured IS as a Keymanager), then authentication >>>> happens on IS and not in the APIM. >>>> >>>> Can you do following and share the result with us >>>> >>>> 1. Check with a user which exists in the primary user store. (Hope you >>>> have shared primary user store between APIM and IS) >>>> >>>> 2. I doubt you have configured the IS as a Keymanager configuration >>>> correctly. Can you add the following line to >>>> <IS_HOME>/conf/log4j.properties >>>> and <APIM_HOME>/conf/log4j.properties just after the >>>> "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute >>>> above curl command and send the wso2carbon.log (located in >>>> <CARBON_HOME>/repository/logs) on both servers? >>>> >>>> log4j.logger.org.wso2.carbon.user.core=DEBUG >>>> >>>> >>>> Thanks >>>> Godwin >>>> >>>> On Thu, Jan 18, 2018 at 3:17 PM, Thomas LEGRAND < >>>> [email protected]> wrote: >>>> >>>>> Hello everybody, >>>>> >>>>> First, thank you for all of your answers :) >>>>> >>>>> Then, here is a screenshot of the users list in the **IS**, where we >>>>> can see that I have a user (versusmind) stored in a secondary user store >>>>> (with the domain RGPD) : >>>>> >>>>> [image: Images intégrées 1] >>>>> Then, I tried to execute the following cUrl commands but I have the >>>>> same error as before. It is like the APIM cannot "access" to the user in >>>>> the secondary user store of the IS (which seems to be logic because only >>>>> the primary user store is shared between the APIM and the IS) : >>>>> >>>>> curl -v -X POST --basic -u >>>>> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >>>>> \ >>>>> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" >>>>> \ >>>>> -k -d >>>>> "grant_type=password&username=RGPD/versusmind&password=versusmind" >>>>> \ >>>>> https://40.118.24.155:8243/token >>>>> >>>>> or >>>>> >>>>> curl -v -X POST --basic -u >>>>> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >>>>> \ >>>>> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" >>>>> \ >>>>> -k -d "grant_type=password&username=versusmind&password=versusmind" >>>>> \ >>>>> https://40.118.24.155:8243/token >>>>> >>>>> Regards, >>>>> >>>>> Thomas >>>>> >>>>> >>>>> 2018-01-18 8:19 GMT+01:00 Godwin Shrimal <[email protected]>: >>>>> >>>>>> Yes, So Thomas's issue should be something different since he has >>>>>> used correct format of a request(Without using user store domain). >>>>>> >>>>>> @Thomas: Can you login to IS Management console and check secondary >>>>>> user store's users are listing under Users & Roles->List-> Users? >>>>>> >>>>>> Thanks >>>>>> Godwin >>>>>> >>>>>> On Thu, Jan 18, 2018 at 2:05 PM, Sathya Bandara <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Sathya, >>>>>>>> >>>>>>>> Ideally, user should get authenticated even you send without user >>>>>>>> store domain. right? >>>>>>>> >>>>>>> >>>>>>> Yes. user gets authenticated without the user store domain. If the >>>>>>> user is in super tenant domain(carbon.super), we can discard the tenant >>>>>>> domain as well. >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> Godwin >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Thomas, >>>>>>>>> >>>>>>>>> Can you try with the following curl command. >>>>>>>>> >>>>>>>>> curl -v -X POST --basic -u <client_id>:<client_secret> -H >>>>>>>>> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k >>>>>>>>> -d >>>>>>>>> "grant_type=password&username=<userstore_domain>/[email protected]&password=admin" >>>>>>>>> https://localhost:8243/token >>>>>>>>> >>>>>>>>> [1] https://docs.wso2.com/display/AM210/Password+Grant >>>>>>>>> >>>>>>>>> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I configured the Identity Server (IS) to be the Key Manager of >>>>>>>>>> the API Manager (APIM). In the IS, I configured a secondary user >>>>>>>>>> store >>>>>>>>>> where I will have my users of my applications. But, I think I missed >>>>>>>>>> something because when I want to generate a OAuth token for a user >>>>>>>>>> stored >>>>>>>>>> in this secondary user store, I have an error: >>>>>>>>>> >>>>>>>>>> My request: >>>>>>>>>> >>>>>>>>>> curl -k -d "grant_type=password&username= >>>>>>>>>> <USR_NAME>&password=<USR_PASSWD>" -H "Authorization: Basic >>>>>>>>>> <BASE64_KEY_SECRET_COUPLE>" https://apim:8243/token >>>>>>>>>> >>>>>>>>>> The response: >>>>>>>>>> >>>>>>>>>> {"error_description":"Authentication failed for >>>>>>>>>> <USR_NAME>@carbon.super","error":"invalid_grant"}. >>>>>>>>>> >>>>>>>>>> In the application in the store of the APIM, "Password" is ticked >>>>>>>>>> so the grant_type is right. >>>>>>>>>> And I tried with the following pattern for the <USR_NAME>: >>>>>>>>>> - <USR_NAME> >>>>>>>>>> - <DOMAIN>/<USR_NAME> >>>>>>>>>> - <DOMAIN>\<USR_NAME> >>>>>>>>>> >>>>>>>>>> Can you help me? How can I ensure that the APIM uses all of the >>>>>>>>>> user stores from the IS. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> Thomas >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Dev mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Sathya Bandara >>>>>>>>> Software Engineer >>>>>>>>> WSO2 Inc. http://wso2.com >>>>>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>>>>> >>>>>>>>> <+94%2071%20411%205032> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> [email protected] >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Godwin Amila Shrimal* >>>>>>>> Associate Technical Lead >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> mobile: *+94772264165* >>>>>>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>>>>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sathya Bandara >>>>>>> Software Engineer >>>>>>> WSO2 Inc. http://wso2.com >>>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>>> >>>>>>> <+94%2071%20411%205032> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Godwin Amila Shrimal* >>>>>> Associate Technical Lead >>>>>> WSO2 Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> mobile: *+94772264165* >>>>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>>>> twitter: https://twitter.com/godwinamila >>>>>> <http://wso2.com/signature> >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Godwin Amila Shrimal* >>>> Associate Technical Lead >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: *+94772264165* >>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>> twitter: https://twitter.com/godwinamila >>>> <http://wso2.com/signature> >>>> >>> >>> >> >> >> -- >> *Godwin Amila Shrimal* >> Associate Technical Lead >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> >> mobile: *+94772264165* >> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >> twitter: https://twitter.com/godwinamila >> <http://wso2.com/signature> >> > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
