Hi Thomas, Ok, When you send a request to token API in the APIM, it should call the oauth2 token API of the IS (if you have configured IS as a Keymanager correctly), So according to the behaviour (with the given information), there is something wrong with your Keymanager related configurations in APIM. I don't see any issues in the api-manager.xml configs you have shared.
Can you archive and attach conf directory of both IS and APIM? (<CARBON_HOME>/repository/conf) Thanks Godwin On Thu, Jan 18, 2018 at 7:54 PM, Thomas LEGRAND < [email protected]> wrote: > Hello Godwin, > > For you first point: > > I created a user from the IS console in the primary user store. I can see > it from the AM console. Then I tried with cUrl to generate a OAuth token > for this user and that works: > > curl -v --basic -u Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa > -k -d "grant_type=password&username=toto&password=toto1" > https://apim:8243/token > > 100 216 0 168 100 48 168 48 0:00:01 --:--:-- 0:00:01 >> 281{"access_token":"5e2f6f0b-1d98-3a6a-986a-ae29a6a80b75"," >> refresh_token":"00302aab-5e00-3261-a787-bd97529ccc41"," >> scope":"default","token_type":"Bearer","expires_in":3600} >> > > > For you second point: > > I have those messages on the APIM side: > > Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,568] DEBUG >> - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role >> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] >> DEBUG - JDBCAuthorizationManager Allowed roles for the ResourceID: >> /_system/governance/repository/components/org.wso2.carbon.all-themes/ >> default/images/is-header-bg.png Action: http://www.wso2.org/projects/ >> registry/actions/get >> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] >> DEBUG - JDBCAuthorizationManager role: INTERNAL/everyone >> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,596] >> DEBUG - JDBCAuthorizationManager role: admin >> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,597] >> DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role >> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,129] >> DEBUG - JDBCUserStoreManager SELECT * FROM UM_USER WHERE >> LOWER(UM_USER_NAME)=LOWER(?) AND UM_TENANT_ID=? >> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,140] >> DEBUG - JDBCUserStoreManager User versusmind login attempt. Login success >> :: false >> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,141] >> DEBUG - AbstractUserStoreManager Authentication failure. Wrong username or >> password is provided. >> > > > But none on the IS side. So it is like the AM does not request the IS to > be sure that the user is known by the IS. > > In the api-manager.xml configuration file on the APIM side, I have: > > <AuthManager> > <!-- > Server URL of the Authentication service > --> > <!--ServerURL>https://${carbon.local.ip}:${mgt. > transport.https.port}${carbon.context}services/</ServerURL--> > <ServerURL>https://is:9443/services/</ServerURL> > > <!-- > Admin username for the Authentication manager. > --> > <Username>admin</Username> > <!-- > Admin password for the Authentication manager. > --> > <Password>admin</Password> > <!-- > Indicates whether the permissions checking of the user (on the > Publisher and Store) should be done > via a remote service. The check will be done on the local > server when false. > --> > <CheckPermissionsRemotely>true</CheckPermissionsRemotely> > </AuthManager> > > And > > <APIKeyValidator> > <!-- > Server URL of the API key manager > --> > <!--ServerURL>https://${carbon.local.ip}:${mgt. > transport.https.port}${carbon.context}services/</ServerURLi--> > <ServerURL>https://is:9443/services/</ServerURL> > > <!-- > Admin username for API key manager. > --> > <Username>${admin.username}</Username> > > <!-- > Admin password for API key manager. > --> > <Password>${admin.password}</Password> > > <!-- Configurations related to enable thrift support for > key-management related communication. > If you want to switch back to Web Service Client, change the > value of "KeyValidatorClientType" to "WSClient". > In a distributed environment; > -If you are at the Gateway node, you need to point > "ThriftClientPort" value to the "ThriftServerPort" value given at > KeyManager node. > -If you need to start two API Manager instances in the same > machine, you need to give different ports to "ThriftServerPort" value in > two nodes. > -ThriftServerHost - Allows to configure a hostname for the > thrift server. It uses the carbon hostname by default. > -The Gateway uses this parameter to connect to the key > validation thrift service. --> > <!--KeyValidatorClientType>ThriftClient</KeyValidatorClientType--> > <KeyValidatorClientType>WSClient</KeyValidatorClientType> > <ThriftClientConnectionTimeOut>10000</ > ThriftClientConnectionTimeOut> > <!--ThriftClientPort>10397</ThriftClientPort--> > > <!--EnableThriftServer>true</EnableThriftServer--> > <EnableThriftServer>false</EnableThriftServer> > <ThriftServerHost>localhost</ThriftServerHost> > <!--ThriftServerPort>10397</ThriftServerPort--> > > <!--ConnectionPool> > <MaxIdle>100</MaxIdle> > <InitIdleCapacity>50</InitIdleCapacity> > </ConnectionPool--> > <!-- Specifies the implementation to be used for > KeyValidationHandler. Steps for validating a token can be controlled by > plugging in a > custom KeyValidation Handler --> > > <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt. > handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName> > > </APIKeyValidator> > > 2018-01-18 11:30 GMT+01:00 Godwin Shrimal <[email protected]>: > >> Hi Thomas, >> >> Ok, That means you have configured secondary user store correctly and its >> ready for authentication. When you call the token endpoint of the API >> manager, that API calls the API of the IS to create the access token (If >> you have properly configured IS as a Keymanager), then authentication >> happens on IS and not in the APIM. >> >> Can you do following and share the result with us >> >> 1. Check with a user which exists in the primary user store. (Hope you >> have shared primary user store between APIM and IS) >> >> 2. I doubt you have configured the IS as a Keymanager configuration >> correctly. Can you add the following line to <IS_HOME>/conf/log4j.properties >> and <APIM_HOME>/conf/log4j.properties just after the >> "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute above >> curl command and send the wso2carbon.log (located in >> <CARBON_HOME>/repository/logs) on both servers? >> >> log4j.logger.org.wso2.carbon.user.core=DEBUG >> >> >> Thanks >> Godwin >> >> On Thu, Jan 18, 2018 at 3:17 PM, Thomas LEGRAND < >> [email protected]> wrote: >> >>> Hello everybody, >>> >>> First, thank you for all of your answers :) >>> >>> Then, here is a screenshot of the users list in the **IS**, where we can >>> see that I have a user (versusmind) stored in a secondary user store (with >>> the domain RGPD) : >>> >>> [image: Images intégrées 1] >>> Then, I tried to execute the following cUrl commands but I have the same >>> error as before. It is like the APIM cannot "access" to the user in the >>> secondary user store of the IS (which seems to be logic because only the >>> primary user store is shared between the APIM and the IS) : >>> >>> curl -v -X POST --basic -u >>> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >>> \ >>> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \ >>> -k -d "grant_type=password&username=RGPD/versusmind&password=versusmind" >>> \ >>> https://40.118.24.155:8243/token >>> >>> or >>> >>> curl -v -X POST --basic -u >>> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >>> \ >>> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \ >>> -k -d "grant_type=password&username=versusmind&password=versusmind" >>> \ >>> https://40.118.24.155:8243/token >>> >>> Regards, >>> >>> Thomas >>> >>> >>> 2018-01-18 8:19 GMT+01:00 Godwin Shrimal <[email protected]>: >>> >>>> Yes, So Thomas's issue should be something different since he has used >>>> correct format of a request(Without using user store domain). >>>> >>>> @Thomas: Can you login to IS Management console and check secondary >>>> user store's users are listing under Users & Roles->List-> Users? >>>> >>>> Thanks >>>> Godwin >>>> >>>> On Thu, Jan 18, 2018 at 2:05 PM, Sathya Bandara <[email protected]> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Sathya, >>>>>> >>>>>> Ideally, user should get authenticated even you send without user >>>>>> store domain. right? >>>>>> >>>>> >>>>> Yes. user gets authenticated without the user store domain. If the >>>>> user is in super tenant domain(carbon.super), we can discard the tenant >>>>> domain as well. >>>>> >>>>>> >>>>>> >>>>>> Thanks >>>>>> Godwin >>>>>> >>>>>> >>>>>> On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Thomas, >>>>>>> >>>>>>> Can you try with the following curl command. >>>>>>> >>>>>>> curl -v -X POST --basic -u <client_id>:<client_secret> -H >>>>>>> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k >>>>>>> -d >>>>>>> "grant_type=password&username=<userstore_domain>/[email protected]&password=admin" >>>>>>> https://localhost:8243/token >>>>>>> >>>>>>> [1] https://docs.wso2.com/display/AM210/Password+Grant >>>>>>> >>>>>>> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I configured the Identity Server (IS) to be the Key Manager of the >>>>>>>> API Manager (APIM). In the IS, I configured a secondary user store >>>>>>>> where I >>>>>>>> will have my users of my applications. But, I think I missed something >>>>>>>> because when I want to generate a OAuth token for a user stored in this >>>>>>>> secondary user store, I have an error: >>>>>>>> >>>>>>>> My request: >>>>>>>> >>>>>>>> curl -k -d "grant_type=password&username= >>>>>>>> <USR_NAME>&password=<USR_PASSWD>" -H "Authorization: Basic >>>>>>>> <BASE64_KEY_SECRET_COUPLE>" https://apim:8243/token >>>>>>>> >>>>>>>> The response: >>>>>>>> >>>>>>>> {"error_description":"Authentication failed for >>>>>>>> <USR_NAME>@carbon.super","error":"invalid_grant"}. >>>>>>>> >>>>>>>> In the application in the store of the APIM, "Password" is ticked >>>>>>>> so the grant_type is right. >>>>>>>> And I tried with the following pattern for the <USR_NAME>: >>>>>>>> - <USR_NAME> >>>>>>>> - <DOMAIN>/<USR_NAME> >>>>>>>> - <DOMAIN>\<USR_NAME> >>>>>>>> >>>>>>>> Can you help me? How can I ensure that the APIM uses all of the >>>>>>>> user stores from the IS. >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Thomas >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> [email protected] >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sathya Bandara >>>>>>> Software Engineer >>>>>>> WSO2 Inc. http://wso2.com >>>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>>> >>>>>>> <+94%2071%20411%205032> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> [email protected] >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Godwin Amila Shrimal* >>>>>> Associate Technical Lead >>>>>> WSO2 Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> mobile: *+94772264165* >>>>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>>>> twitter: https://twitter.com/godwinamila >>>>>> <http://wso2.com/signature> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Sathya Bandara >>>>> Software Engineer >>>>> WSO2 Inc. http://wso2.com >>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>> >>>>> <+94%2071%20411%205032> >>>>> >>>> >>>> >>>> >>>> -- >>>> *Godwin Amila Shrimal* >>>> Associate Technical Lead >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: *+94772264165* >>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>> twitter: https://twitter.com/godwinamila >>>> <http://wso2.com/signature> >>>> >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> *Godwin Amila Shrimal* >> Associate Technical Lead >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> >> mobile: *+94772264165* >> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >> twitter: https://twitter.com/godwinamila >> <http://wso2.com/signature> >> > > -- *Godwin Amila Shrimal* Associate Technical Lead WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: *+94772264165* linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ <https://www.linkedin.com/in/godwin-amila-2ba26844/>* twitter: https://twitter.com/godwinamila <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
