Hello Godwin, Thank you for the directions. But I found out that the hostname of the IS was bound to the wrong IP in my hosts file. It is awkward :s
Regards, Thomas 2018-01-18 14:25 GMT+01:00 Godwin Shrimal <god...@wso2.com>: > Hi Thomas, > > Ok, When you send a request to token API in the APIM, it should call the > oauth2 token API of the IS (if you have configured IS as a Keymanager > correctly), So according to the behaviour (with the given information), > there is something wrong with your Keymanager related configurations in > APIM. I don't see any issues in the api-manager.xml configs you have > shared. > > Can you archive and attach conf directory of both IS and APIM? > (<CARBON_HOME>/repository/conf) > > Thanks > Godwin > > On Thu, Jan 18, 2018 at 7:54 PM, Thomas LEGRAND < > thomas.legr...@versusmind.eu> wrote: > >> Hello Godwin, >> >> For you first point: >> >> I created a user from the IS console in the primary user store. I can see >> it from the AM console. Then I tried with cUrl to generate a OAuth token >> for this user and that works: >> >> curl -v --basic -u Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >> -k -d "grant_type=password&username=toto&password=toto1" >> https://apim:8243/token >> >> 100 216 0 168 100 48 168 48 0:00:01 --:--:-- >>> 0:00:01 281{"access_token":"5e2f6f0b-1d98-3a6a-986a-ae29a6a80b75","r >>> efresh_token":"00302aab-5e00-3261-a787-bd97529ccc41","scope" >>> :"default","token_type":"Bearer","expires_in":3600} >>> >> >> >> For you second point: >> >> I have those messages on the APIM side: >> >> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,568] >>> DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role >>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] >>> DEBUG - JDBCAuthorizationManager Allowed roles for the ResourceID: >>> /_system/governance/repository/components/org.wso2.carbon. >>> all-themes/default/images/is-header-bg.png Action: >>> http://www.wso2.org/projects/registry/actions/get >>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] >>> DEBUG - JDBCAuthorizationManager role: INTERNAL/everyone >>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,596] >>> DEBUG - JDBCAuthorizationManager role: admin >>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,597] >>> DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role >>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,129] >>> DEBUG - JDBCUserStoreManager SELECT * FROM UM_USER WHERE >>> LOWER(UM_USER_NAME)=LOWER(?) AND UM_TENANT_ID=? >>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,140] >>> DEBUG - JDBCUserStoreManager User versusmind login attempt. Login success >>> :: false >>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,141] >>> DEBUG - AbstractUserStoreManager Authentication failure. Wrong username or >>> password is provided. >>> >> >> >> But none on the IS side. So it is like the AM does not request the IS to >> be sure that the user is known by the IS. >> >> In the api-manager.xml configuration file on the APIM side, I have: >> >> <AuthManager> >> <!-- >> Server URL of the Authentication service >> --> >> <!--ServerURL>https://${carbon.local.ip}:${mgt.transport. >> https.port}${carbon.context}services/</ServerURL--> >> <ServerURL>https://is:9443/services/</ServerURL> >> >> <!-- >> Admin username for the Authentication manager. >> --> >> <Username>admin</Username> >> <!-- >> Admin password for the Authentication manager. >> --> >> <Password>admin</Password> >> <!-- >> Indicates whether the permissions checking of the user (on the >> Publisher and Store) should be done >> via a remote service. The check will be done on the local >> server when false. >> --> >> <CheckPermissionsRemotely>true</CheckPermissionsRemotely> >> </AuthManager> >> >> And >> >> <APIKeyValidator> >> <!-- >> Server URL of the API key manager >> --> >> <!--ServerURL>https://${carbon.local.ip}:${mgt.transport. >> https.port}${carbon.context}services/</ServerURLi--> >> <ServerURL>https://is:9443/services/</ServerURL> >> >> <!-- >> Admin username for API key manager. >> --> >> <Username>${admin.username}</Username> >> >> <!-- >> Admin password for API key manager. >> --> >> <Password>${admin.password}</Password> >> >> <!-- Configurations related to enable thrift support for >> key-management related communication. >> If you want to switch back to Web Service Client, change the >> value of "KeyValidatorClientType" to "WSClient". >> In a distributed environment; >> -If you are at the Gateway node, you need to point >> "ThriftClientPort" value to the "ThriftServerPort" value given at >> KeyManager node. >> -If you need to start two API Manager instances in the same >> machine, you need to give different ports to "ThriftServerPort" value in >> two nodes. >> -ThriftServerHost - Allows to configure a hostname for the >> thrift server. It uses the carbon hostname by default. >> -The Gateway uses this parameter to connect to the key >> validation thrift service. --> >> <!--KeyValidatorClientType>ThriftClient</KeyValidatorClientT >> ype--> >> <KeyValidatorClientType>WSClient</KeyValidatorClientType> >> <ThriftClientConnectionTimeOut>10000</ThriftClientConnection >> TimeOut> >> <!--ThriftClientPort>10397</ThriftClientPort--> >> >> <!--EnableThriftServer>true</EnableThriftServer--> >> <EnableThriftServer>false</EnableThriftServer> >> <ThriftServerHost>localhost</ThriftServerHost> >> <!--ThriftServerPort>10397</ThriftServerPort--> >> >> <!--ConnectionPool> >> <MaxIdle>100</MaxIdle> >> <InitIdleCapacity>50</InitIdleCapacity> >> </ConnectionPool--> >> <!-- Specifies the implementation to be used for >> KeyValidationHandler. Steps for validating a token can be controlled by >> plugging in a >> custom KeyValidation Handler --> >> >> <KeyValidationHandlerClassName>org.wso2.carbon.apimgt. >> keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHa >> ndlerClassName> >> >> </APIKeyValidator> >> >> 2018-01-18 11:30 GMT+01:00 Godwin Shrimal <god...@wso2.com>: >> >>> Hi Thomas, >>> >>> Ok, That means you have configured secondary user store correctly and >>> its ready for authentication. When you call the token endpoint of the API >>> manager, that API calls the API of the IS to create the access token (If >>> you have properly configured IS as a Keymanager), then authentication >>> happens on IS and not in the APIM. >>> >>> Can you do following and share the result with us >>> >>> 1. Check with a user which exists in the primary user store. (Hope you >>> have shared primary user store between APIM and IS) >>> >>> 2. I doubt you have configured the IS as a Keymanager configuration >>> correctly. Can you add the following line to <IS_HOME>/conf/log4j.properties >>> and <APIM_HOME>/conf/log4j.properties just after the >>> "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute above >>> curl command and send the wso2carbon.log (located in >>> <CARBON_HOME>/repository/logs) on both servers? >>> >>> log4j.logger.org.wso2.carbon.user.core=DEBUG >>> >>> >>> Thanks >>> Godwin >>> >>> On Thu, Jan 18, 2018 at 3:17 PM, Thomas LEGRAND < >>> thomas.legr...@versusmind.eu> wrote: >>> >>>> Hello everybody, >>>> >>>> First, thank you for all of your answers :) >>>> >>>> Then, here is a screenshot of the users list in the **IS**, where we >>>> can see that I have a user (versusmind) stored in a secondary user store >>>> (with the domain RGPD) : >>>> >>>> [image: Images intégrées 1] >>>> Then, I tried to execute the following cUrl commands but I have the >>>> same error as before. It is like the APIM cannot "access" to the user in >>>> the secondary user store of the IS (which seems to be logic because only >>>> the primary user store is shared between the APIM and the IS) : >>>> >>>> curl -v -X POST --basic -u >>>> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >>>> \ >>>> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \ >>>> -k -d >>>> "grant_type=password&username=RGPD/versusmind&password=versusmind" >>>> \ >>>> https://40.118.24.155:8243/token >>>> >>>> or >>>> >>>> curl -v -X POST --basic -u >>>> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >>>> \ >>>> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \ >>>> -k -d "grant_type=password&username=versusmind&password=versusmind" >>>> \ >>>> https://40.118.24.155:8243/token >>>> >>>> Regards, >>>> >>>> Thomas >>>> >>>> >>>> 2018-01-18 8:19 GMT+01:00 Godwin Shrimal <god...@wso2.com>: >>>> >>>>> Yes, So Thomas's issue should be something different since he has used >>>>> correct format of a request(Without using user store domain). >>>>> >>>>> @Thomas: Can you login to IS Management console and check secondary >>>>> user store's users are listing under Users & Roles->List-> Users? >>>>> >>>>> Thanks >>>>> Godwin >>>>> >>>>> On Thu, Jan 18, 2018 at 2:05 PM, Sathya Bandara <sat...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal <god...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Sathya, >>>>>>> >>>>>>> Ideally, user should get authenticated even you send without user >>>>>>> store domain. right? >>>>>>> >>>>>> >>>>>> Yes. user gets authenticated without the user store domain. If the >>>>>> user is in super tenant domain(carbon.super), we can discard the tenant >>>>>> domain as well. >>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> Godwin >>>>>>> >>>>>>> >>>>>>> On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara <sat...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Thomas, >>>>>>>> >>>>>>>> Can you try with the following curl command. >>>>>>>> >>>>>>>> curl -v -X POST --basic -u <client_id>:<client_secret> -H >>>>>>>> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k >>>>>>>> -d >>>>>>>> "grant_type=password&username=<userstore_domain>/sathya1@carbon.super&password=admin" >>>>>>>> https://localhost:8243/token >>>>>>>> >>>>>>>> [1] https://docs.wso2.com/display/AM210/Password+Grant >>>>>>>> >>>>>>>> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND < >>>>>>>> thomas.legr...@versusmind.eu> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I configured the Identity Server (IS) to be the Key Manager of the >>>>>>>>> API Manager (APIM). In the IS, I configured a secondary user store >>>>>>>>> where I >>>>>>>>> will have my users of my applications. But, I think I missed something >>>>>>>>> because when I want to generate a OAuth token for a user stored in >>>>>>>>> this >>>>>>>>> secondary user store, I have an error: >>>>>>>>> >>>>>>>>> My request: >>>>>>>>> >>>>>>>>> curl -k -d "grant_type=password&username= >>>>>>>>> <USR_NAME>&password=<USR_PASSWD>" -H "Authorization: Basic >>>>>>>>> <BASE64_KEY_SECRET_COUPLE>" https://apim:8243/token >>>>>>>>> >>>>>>>>> The response: >>>>>>>>> >>>>>>>>> {"error_description":"Authentication failed for >>>>>>>>> <USR_NAME>@carbon.super","error":"invalid_grant"}. >>>>>>>>> >>>>>>>>> In the application in the store of the APIM, "Password" is ticked >>>>>>>>> so the grant_type is right. >>>>>>>>> And I tried with the following pattern for the <USR_NAME>: >>>>>>>>> - <USR_NAME> >>>>>>>>> - <DOMAIN>/<USR_NAME> >>>>>>>>> - <DOMAIN>\<USR_NAME> >>>>>>>>> >>>>>>>>> Can you help me? How can I ensure that the APIM uses all of the >>>>>>>>> user stores from the IS. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> Thomas >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> Dev@wso2.org >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sathya Bandara >>>>>>>> Software Engineer >>>>>>>> WSO2 Inc. http://wso2.com >>>>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>>>> >>>>>>>> <+94%2071%20411%205032> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> Dev@wso2.org >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Godwin Amila Shrimal* >>>>>>> Associate Technical Lead >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> mobile: *+94772264165* >>>>>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>>>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>>>>> twitter: https://twitter.com/godwinamila >>>>>>> <http://wso2.com/signature> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Sathya Bandara >>>>>> Software Engineer >>>>>> WSO2 Inc. http://wso2.com >>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>> >>>>>> <+94%2071%20411%205032> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Godwin Amila Shrimal* >>>>> Associate Technical Lead >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> mobile: *+94772264165* >>>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>>> twitter: https://twitter.com/godwinamila >>>>> <http://wso2.com/signature> >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> *Godwin Amila Shrimal* >>> Associate Technical Lead >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> mobile: *+94772264165* >>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>> twitter: https://twitter.com/godwinamila >>> <http://wso2.com/signature> >>> >> >> > > > -- > *Godwin Amila Shrimal* > Associate Technical Lead > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: *+94772264165* > linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ > <https://www.linkedin.com/in/godwin-amila-2ba26844/>* > twitter: https://twitter.com/godwinamila > <http://wso2.com/signature> >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev