Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-18 Thread Godwin Shrimal 
Hi Thomas,

Ok, When you send a request to token API in the APIM, it should call the
oauth2 token API of the IS (if you have configured IS as a Keymanager
correctly), So according to the behaviour (with the given information),
there is something wrong with your Keymanager related configurations in
APIM. I don't see any issues in the api-manager.xml configs you have
shared.

Can you archive and attach conf directory of both IS and APIM?
(/repository/conf)

Thanks
Godwin

On Thu, Jan 18, 2018 at 7:54 PM, Thomas LEGRAND <
thomas.legr...@versusmind.eu> wrote:

> Hello Godwin,
>
> For you first point:
>
> I created a user from the IS console in the primary user store. I can see
> it from the AM console. Then I tried with cUrl to generate a OAuth token
> for this user and that works:
>
> curl -v --basic -u Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa
> -k -d "grant_type=password=toto=toto1"
> https://apim:8243/token
>
> 100   2160   168  10048168 48  0:00:01 --:--:--  0:00:01
>> 281{"access_token":"5e2f6f0b-1d98-3a6a-986a-ae29a6a80b75","
>> refresh_token":"00302aab-5e00-3261-a787-bd97529ccc41","
>> scope":"default","token_type":"Bearer","expires_in":3600}
>>
>
>
> For you second point:
>
> I have those messages on the APIM side:
>
> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,568] DEBUG
>> - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role
>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595]
>> DEBUG - JDBCAuthorizationManager Allowed roles for the ResourceID:
>> /_system/governance/repository/components/org.wso2.carbon.all-themes/
>> default/images/is-header-bg.png Action: http://www.wso2.org/projects/
>> registry/actions/get
>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595]
>> DEBUG - JDBCAuthorizationManager role: INTERNAL/everyone
>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,596]
>> DEBUG - JDBCAuthorizationManager role: admin
>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,597]
>> DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role
>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,129]
>> DEBUG - JDBCUserStoreManager SELECT * FROM UM_USER WHERE
>> LOWER(UM_USER_NAME)=LOWER(?) AND UM_TENANT_ID=?
>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,140]
>> DEBUG - JDBCUserStoreManager User versusmind login attempt. Login success
>> :: false
>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,141]
>> DEBUG - AbstractUserStoreManager Authentication failure. Wrong username or
>> password is provided.
>>
>
>
> But none on the IS side. So it is like the AM does not request the IS to
> be sure that the user is known by the IS.
>
> In the api-manager.xml configuration file on the APIM side, I have:
>
> 
> 
>
>https://is:9443/services/
>
> 
>   admin
> 
>   admin
> 
> true
> 
>
> And
>
>  
> 
>
>https://is:9443/services/
>
> 
>   ${admin.username}
>
> 
>   ${admin.password}
>
> 
> 
> WSClient
> 1 ThriftClientConnectionTimeOut>
> 
>
> 
> false
> localhost
> 
>
> 
> 
>
> org.wso2.carbon.apimgt.keymgt.
> handlers.DefaultKeyValidationHandler
>
> 
>
> 2018-01-18 11:30 GMT+01:00 Godwin Shrimal :
>
>> Hi Thomas,
>>
>> Ok, That means you have configured secondary user store correctly and its
>> ready for authentication. When you call the token endpoint of the API
>> manager, that API calls the API of the IS to create the access token (If
>> you have properly configured IS as a Keymanager), then authentication
>> happens on IS and not in the APIM.
>>
>> Can you do following and share the result with us
>>
>> 1. Check with a user which exists in the primary user store. (Hope you
>> have shared primary user store between APIM and IS)
>>
>> 2. I doubt you have configured the IS as a Keymanager configuration
>> correctly. Can you add the following line to /conf/log4j.properties
>> and /conf/log4j.properties just after the
>> "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute above
>> curl command and send the wso2carbon.log (located in
>> /repository/logs) on both servers?
>>
>> log4j.logger.org.wso2.carbon.user.core=DEBUG
>>
>>
>> Thanks
>> Godwin
>>
>> On Thu, Jan 18, 2018 at 3:17 PM, Thomas LEGRAND <
>> thomas.legr...@versusmind.eu> wrote:
>>
>>> Hello everybody,
>>>
>>> First, thank you for all of your answers :)
>>>
>>> Then, here is a screenshot of the users list in the **IS**, where we can
>>> see that I have a user (versusmind) stored in a secondary user store (with
>>> the domain RGPD) :
>>>
>>> [image: Images intégrées 1]
>>> Then, I tried to execute the following cUrl commands but I have the same
>>> error as before. It is like the APIM cannot

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-18 Thread Tharindu Edirisinghe 
Hi Thomas,

Try a request similar to following and see if it works. You need to change
the values highlighted.

curl -k -X POST -H "Authorization: Basic **" --data
"grant_type=password=openid=*WSO2.COM/tharindu
*=*tharindu*" https://apim:8243/token

Thanks,
TharinduE

On Wed, Jan 17, 2018 at 8:41 AM, Thomas LEGRAND <
thomas.legr...@versusmind.eu> wrote:

> Hello,
>
> I configured the Identity Server (IS) to be the Key Manager of the API
> Manager (APIM). In the IS, I configured a secondary user store where I will
> have my users of my applications. But, I think I missed something because
> when I want to generate a OAuth token for a user stored in this secondary
> user store, I have an error:
>
> My request:
>
> curl -k -d "grant_type=password=="
> -H "Authorization: Basic "
> https://apim:8243/token
>
> The response:
>
> {"error_description":"Authentication failed for @carbon.super","
> error":"invalid_grant"}.
>
> In the application in the store of the APIM, "Password" is ticked so the
> grant_type is right.
> And I tried with the following pattern for the :
> - 
> - /
> - \
>
> Can you help me? How can I ensure that the APIM uses all of the user
> stores from the IS.
>
> Regards,
>
> Thomas
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-18 Thread Thomas LEGRAND 
Hello Godwin,

Thank you for the directions. But I found out that the hostname of the IS
was bound to the wrong IP in my hosts file. It is awkward :s

Regards,

Thomas

2018-01-18 14:25 GMT+01:00 Godwin Shrimal :

> Hi Thomas,
>
> Ok, When you send a request to token API in the APIM, it should call the
> oauth2 token API of the IS (if you have configured IS as a Keymanager
> correctly), So according to the behaviour (with the given information),
> there is something wrong with your Keymanager related configurations in
> APIM. I don't see any issues in the api-manager.xml configs you have
> shared.
>
> Can you archive and attach conf directory of both IS and APIM?
> (/repository/conf)
>
> Thanks
> Godwin
>
> On Thu, Jan 18, 2018 at 7:54 PM, Thomas LEGRAND <
> thomas.legr...@versusmind.eu> wrote:
>
>> Hello Godwin,
>>
>> For you first point:
>>
>> I created a user from the IS console in the primary user store. I can see
>> it from the AM console. Then I tried with cUrl to generate a OAuth token
>> for this user and that works:
>>
>> curl -v --basic -u Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa
>> -k -d "grant_type=password=toto=toto1"
>> https://apim:8243/token
>>
>> 100   2160   168  10048168 48  0:00:01 --:--:--
>>> 0:00:01   281{"access_token":"5e2f6f0b-1d98-3a6a-986a-ae29a6a80b75","r
>>> efresh_token":"00302aab-5e00-3261-a787-bd97529ccc41","scope"
>>> :"default","token_type":"Bearer","expires_in":3600}
>>>
>>
>>
>> For you second point:
>>
>> I have those messages on the APIM side:
>>
>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,568]
>>> DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role
>>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595]
>>> DEBUG - JDBCAuthorizationManager Allowed roles for the ResourceID:
>>> /_system/governance/repository/components/org.wso2.carbon.
>>> all-themes/default/images/is-header-bg.png Action:
>>> http://www.wso2.org/projects/registry/actions/get
>>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595]
>>> DEBUG - JDBCAuthorizationManager role: INTERNAL/everyone
>>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,596]
>>> DEBUG - JDBCAuthorizationManager role: admin
>>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,597]
>>> DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role
>>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,129]
>>> DEBUG - JDBCUserStoreManager SELECT * FROM UM_USER WHERE
>>> LOWER(UM_USER_NAME)=LOWER(?) AND UM_TENANT_ID=?
>>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,140]
>>> DEBUG - JDBCUserStoreManager User versusmind login attempt. Login success
>>> :: false
>>> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,141]
>>> DEBUG - AbstractUserStoreManager Authentication failure. Wrong username or
>>> password is provided.
>>>
>>
>>
>> But none on the IS side. So it is like the AM does not request the IS to
>> be sure that the user is known by the IS.
>>
>> In the api-manager.xml configuration file on the APIM side, I have:
>>
>> 
>> 
>>
>>https://is:9443/services/
>>
>> 
>>   admin
>> 
>>   admin
>> 
>> true
>> 
>>
>> And
>>
>>  
>> 
>>
>>https://is:9443/services/
>>
>> 
>>   ${admin.username}
>>
>> 
>>   ${admin.password}
>>
>> 
>> 
>> WSClient
>> 1> TimeOut>
>> 
>>
>> 
>> false
>> localhost
>> 
>>
>> 
>> 
>>
>> org.wso2.carbon.apimgt.
>> keymgt.handlers.DefaultKeyValidationHandler> ndlerClassName>
>>
>> 
>>
>> 2018-01-18 11:30 GMT+01:00 Godwin Shrimal :
>>
>>> Hi Thomas,
>>>
>>> Ok, That means you have configured secondary user store correctly and
>>> its ready for authentication. When you call the token endpoint of the API
>>> manager, that API calls the API of the IS to create the access token (If
>>> you have properly configured IS as a Keymanager), then authentication
>>> happens on IS and not in the APIM.
>>>
>>> Can you do following and share the result with us
>>>
>>> 1. Check with a user which exists in the primary user store. (Hope you
>>> have shared primary user store between APIM and IS)
>>>
>>> 2. I doubt you have configured the IS as a Keymanager configuration
>>> correctly. Can you add the following line to /conf/log4j.properties
>>> and /conf/log4j.properties just after the
>>> "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute above
>>> curl command and send the wso2carbon.log (located in
>>> /repository/logs) on both servers?
>>>
>>> log4j.logger.org.wso2.carbon.user.core=DEBUG
>>>
>>>
>>> Thanks
>>> Godwin
>>>
>>> On Thu, Jan 18, 2018 at 3:17 PM, Thomas LEGRAND <
>>> thomas.legr...@versusmind.eu> wrote:
>>>
 Hello everybody,

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-18 Thread Godwin Shrimal 
Great to hear you could resolve the issue :)

Thanks
Godwin

On Jan 18, 2018 8:39 PM, "Thomas LEGRAND" 
wrote:

> Hello Godwin,
>
> Thank you for the directions. But I found out that the hostname of the IS
> was bound to the wrong IP in my hosts file. It is awkward :s
>
> Regards,
>
> Thomas
>
> 2018-01-18 14:25 GMT+01:00 Godwin Shrimal :
>
>> Hi Thomas,
>>
>> Ok, When you send a request to token API in the APIM, it should call the
>> oauth2 token API of the IS (if you have configured IS as a Keymanager
>> correctly), So according to the behaviour (with the given information),
>> there is something wrong with your Keymanager related configurations in
>> APIM. I don't see any issues in the api-manager.xml configs you have
>> shared.
>>
>> Can you archive and attach conf directory of both IS and APIM?
>> (/repository/conf)
>>
>> Thanks
>> Godwin
>>
>> On Thu, Jan 18, 2018 at 7:54 PM, Thomas LEGRAND <
>> thomas.legr...@versusmind.eu> wrote:
>>
>>> Hello Godwin,
>>>
>>> For you first point:
>>>
>>> I created a user from the IS console in the primary user store. I can
>>> see it from the AM console. Then I tried with cUrl to generate a OAuth
>>> token for this user and that works:
>>>
>>> curl -v --basic -u Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa
>>> -k -d "grant_type=password=toto=toto1"
>>> https://apim:8243/token
>>>
>>> 100   2160   168  10048168 48  0:00:01 --:--:--
 0:00:01   281{"access_token":"5e2f6f0b-1d98-3a6a-986a-ae29a6a80b75","r
 efresh_token":"00302aab-5e00-3261-a787-bd97529ccc41","scope"
 :"default","token_type":"Bearer","expires_in":3600}

>>>
>>>
>>> For you second point:
>>>
>>> I have those messages on the APIM side:
>>>
>>> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,568]
 DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role
 Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595]
 DEBUG - JDBCAuthorizationManager Allowed roles for the ResourceID:
 /_system/governance/repository/components/org.wso2.carbon.al
 l-themes/default/images/is-header-bg.png Action:
 http://www.wso2.org/projects/registry/actions/get
 Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595]
 DEBUG - JDBCAuthorizationManager role: INTERNAL/everyone
 Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,596]
 DEBUG - JDBCAuthorizationManager role: admin
 Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,597]
 DEBUG - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role
 Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,129]
 DEBUG - JDBCUserStoreManager SELECT * FROM UM_USER WHERE
 LOWER(UM_USER_NAME)=LOWER(?) AND UM_TENANT_ID=?
 Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,140]
 DEBUG - JDBCUserStoreManager User versusmind login attempt. Login success
 :: false
 Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,141]
 DEBUG - AbstractUserStoreManager Authentication failure. Wrong username or
 password is provided.

>>>
>>>
>>> But none on the IS side. So it is like the AM does not request the IS to
>>> be sure that the user is known by the IS.
>>>
>>> In the api-manager.xml configuration file on the APIM side, I have:
>>>
>>> 
>>> 
>>>
>>>https://is:9443/services/
>>>
>>> 
>>>   admin
>>> 
>>>   admin
>>> 
>>> true
>>> 
>>>
>>> And
>>>
>>>  
>>> 
>>>
>>>https://is:9443/services/
>>>
>>> 
>>>   ${admin.username}
>>>
>>> 
>>>   ${admin.password}
>>>
>>> 
>>> 
>>> WSClient
>>> 1>> TimeOut>
>>> 
>>>
>>> 
>>> false
>>> localhost
>>> 
>>>
>>> 
>>> 
>>>
>>> org.wso2.carbon.apimgt.keymgt
>>> .handlers.DefaultKeyValidationHandler
>>>
>>> 
>>>
>>> 2018-01-18 11:30 GMT+01:00 Godwin Shrimal :
>>>
 Hi Thomas,

 Ok, That means you have configured secondary user store correctly and
 its ready for authentication. When you call the token endpoint of the API
 manager, that API calls the API of the IS to create the access token (If
 you have properly configured IS as a Keymanager), then authentication
 happens on IS and not in the APIM.

 Can you do following and share the result with us

 1. Check with a user which exists in the primary user store. (Hope you
 have shared primary user store between APIM and IS)

 2. I doubt you have configured the IS as a Keymanager configuration
 correctly. Can you add the following line to 
 /conf/log4j.properties
 and /conf/log4j.properties just after the
 "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute
 above curl command and send

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-18 Thread Thomas LEGRAND 
Hello Godwin,

For you first point:

I created a user from the IS console in the primary user store. I can see
it from the AM console. Then I tried with cUrl to generate a OAuth token
for this user and that works:

curl -v --basic -u
Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa -k -d
"grant_type=password=toto=toto1"
https://apim:8243/token

100   2160   168  10048168 48  0:00:01 --:--:--  0:00:01
> 281{"access_token":"5e2f6f0b-1d98-3a6a-986a-ae29a6a80b75","refresh_token":"00302aab-5e00-3261-a787-bd97529ccc41","scope":"default","token_type":"Bearer","expires_in":3600}
>


For you second point:

I have those messages on the APIM side:

Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,568] DEBUG
> - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role
> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] DEBUG
> - JDBCAuthorizationManager Allowed roles for the ResourceID:
> /_system/governance/repository/components/org.wso2.carbon.all-themes/default/images/is-header-bg.png
> Action: http://www.wso2.org/projects/registry/actions/get
> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] DEBUG
> - JDBCAuthorizationManager role: INTERNAL/everyone
> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,596] DEBUG
> - JDBCAuthorizationManager role: admin
> Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,597] DEBUG
> - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role
> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,129] DEBUG
> - JDBCUserStoreManager SELECT * FROM UM_USER WHERE
> LOWER(UM_USER_NAME)=LOWER(?) AND UM_TENANT_ID=?
> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,140] DEBUG
> - JDBCUserStoreManager User versusmind login attempt. Login success :: false
> Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,141] DEBUG
> - AbstractUserStoreManager Authentication failure. Wrong username or
> password is provided.
>


But none on the IS side. So it is like the AM does not request the IS to be
sure that the user is known by the IS.

In the api-manager.xml configuration file on the APIM side, I have:



   
   https://is:9443/services/


  admin

  admin

true


And

 

   
   https://is:9443/services/


  ${admin.username}


  ${admin.password}



WSClient
1



false
localhost






org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler



2018-01-18 11:30 GMT+01:00 Godwin Shrimal :

> Hi Thomas,
>
> Ok, That means you have configured secondary user store correctly and its
> ready for authentication. When you call the token endpoint of the API
> manager, that API calls the API of the IS to create the access token (If
> you have properly configured IS as a Keymanager), then authentication
> happens on IS and not in the APIM.
>
> Can you do following and share the result with us
>
> 1. Check with a user which exists in the primary user store. (Hope you
> have shared primary user store between APIM and IS)
>
> 2. I doubt you have configured the IS as a Keymanager configuration
> correctly. Can you add the following line to /conf/log4j.properties
> and /conf/log4j.properties just after the
> "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute above
> curl command and send the wso2carbon.log (located in
> /repository/logs) on both servers?
>
> log4j.logger.org.wso2.carbon.user.core=DEBUG
>
>
> Thanks
> Godwin
>
> On Thu, Jan 18, 2018 at 3:17 PM, Thomas LEGRAND <
> thomas.legr...@versusmind.eu> wrote:
>
>> Hello everybody,
>>
>> First, thank you for all of your answers :)
>>
>> Then, here is a screenshot of the users list in the **IS**, where we can
>> see that I have a user (versusmind) stored in a secondary user store (with
>> the domain RGPD) :
>>
>> [image: Images intégrées 1]
>> Then, I tried to execute the following cUrl commands but I have the same
>> error as before. It is like the APIM cannot "access" to the user in the
>> secondary user store of the IS (which seems to be logic because only the
>> primary user store is shared between the APIM and the IS) :
>>
>> curl -v -X POST --basic -u 
>> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa
>> \
>> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \
>> -k -d "grant_type=password=RGPD/versusmind=versusmind"
>> \
>> https://40.118.24.155:8243/token
>>
>> or
>>
>> curl -v -X POST --basic -u 
>> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa
>> \
>> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \
>> -k -d "grant_type=password=versusmind=versusmind" \
>> https://40.118.24.155:8243/token
>>
>> Regards,
>>
>> Thomas
>>
>>
>> 2018-01-18 8:19 GMT+01:00 Godwin

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-18 Thread Godwin Shrimal 
Hi Thomas,

Ok, That means you have configured secondary user store correctly and its
ready for authentication. When you call the token endpoint of the API
manager, that API calls the API of the IS to create the access token (If
you have properly configured IS as a Keymanager), then authentication
happens on IS and not in the APIM.

Can you do following and share the result with us

1. Check with a user which exists in the primary user store. (Hope you have
shared primary user store between APIM and IS)

2. I doubt you have configured the IS as a Keymanager configuration
correctly. Can you add the following line to
/conf/log4j.properties and /conf/log4j.properties just
after the "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute
above curl command and send the wso2carbon.log (located in
/repository/logs) on both servers?

log4j.logger.org.wso2.carbon.user.core=DEBUG


Thanks
Godwin

On Thu, Jan 18, 2018 at 3:17 PM, Thomas LEGRAND <
thomas.legr...@versusmind.eu> wrote:

> Hello everybody,
>
> First, thank you for all of your answers :)
>
> Then, here is a screenshot of the users list in the **IS**, where we can
> see that I have a user (versusmind) stored in a secondary user store (with
> the domain RGPD) :
>
> [image: Images intégrées 1]
> Then, I tried to execute the following cUrl commands but I have the same
> error as before. It is like the APIM cannot "access" to the user in the
> secondary user store of the IS (which seems to be logic because only the
> primary user store is shared between the APIM and the IS) :
>
> curl -v -X POST --basic -u 
> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa
> \
> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \
> -k -d "grant_type=password=RGPD/versusmind=versusmind"
> \
> https://40.118.24.155:8243/token
>
> or
>
> curl -v -X POST --basic -u 
> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa
> \
> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \
> -k -d "grant_type=password=versusmind=versusmind" \
> https://40.118.24.155:8243/token
>
> Regards,
>
> Thomas
>
>
> 2018-01-18 8:19 GMT+01:00 Godwin Shrimal :
>
>> Yes, So Thomas's issue should be something different since he has used
>> correct format of a request(Without using user store domain).
>>
>> @Thomas: Can you login to IS Management console and check secondary user
>> store's users are listing under Users & Roles->List-> Users?
>>
>> Thanks
>> Godwin
>>
>> On Thu, Jan 18, 2018 at 2:05 PM, Sathya Bandara  wrote:
>>
>>> Hi,
>>>
>>> On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal 
>>> wrote:
>>>
 Hi Sathya,

 Ideally, user should get authenticated even you send without user store
 domain. right?

>>>
>>> Yes. user gets authenticated without the user store domain. If the user
>>> is in super tenant domain(carbon.super), we can discard the tenant domain
>>> as well.
>>>


 Thanks
 Godwin


 On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara 
 wrote:

> Hi Thomas,
>
> Can you try with the following curl command.
>
> curl -v -X POST --basic -u : -H
> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d
> "grant_type=password=/sathya1@carbon.super=admin"
>  https://localhost:8243/token
>
> [1] https://docs.wso2.com/display/AM210/Password+Grant
>
> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND <
> thomas.legr...@versusmind.eu> wrote:
>
>> Hello,
>>
>> I configured the Identity Server (IS) to be the Key Manager of the
>> API Manager (APIM). In the IS, I configured a secondary user store where 
>> I
>> will have my users of my applications. But, I think I missed something
>> because when I want to generate a OAuth token for a user stored in this
>> secondary user store, I have an error:
>>
>> My request:
>>
>> curl -k -d "grant_type=password=
>> =" -H "Authorization: Basic
>> "   https://apim:8243/token
>>
>> The response:
>>
>> {"error_description":"Authentication failed for
>> @carbon.super","error":"invalid_grant"}.
>>
>> In the application in the store of the APIM, "Password" is ticked so
>> the grant_type is right.
>> And I tried with the following pattern for the :
>> - 
>> - /
>> - \
>>
>> Can you help me? How can I ensure that the APIM uses all of the user
>> stores from the IS.
>>
>> Regards,
>>
>> Thomas
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Sathya Bandara
> Software Engineer
> WSO2 Inc. http://wso2.com
> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>
> <+94%2071%20411%205032>
>
>

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-18 Thread Thomas LEGRAND 
Hello everybody,

First, thank you for all of your answers :)

Then, here is a screenshot of the users list in the **IS**, where we can
see that I have a user (versusmind) stored in a secondary user store (with
the domain RGPD) :

[image: Images intégrées 1]
Then, I tried to execute the following cUrl commands but I have the same
error as before. It is like the APIM cannot "access" to the user in the
secondary user store of the IS (which seems to be logic because only the
primary user store is shared between the APIM and the IS) :

curl -v -X POST --basic -u
Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa \
-H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \
-k -d
"grant_type=password=RGPD/versusmind=versusmind" \
https://40.118.24.155:8243/token

or

curl -v -X POST --basic -u
Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa \
-H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \
-k -d "grant_type=password=versusmind=versusmind" \
https://40.118.24.155:8243/token

Regards,

Thomas


2018-01-18 8:19 GMT+01:00 Godwin Shrimal :

> Yes, So Thomas's issue should be something different since he has used
> correct format of a request(Without using user store domain).
>
> @Thomas: Can you login to IS Management console and check secondary user
> store's users are listing under Users & Roles->List-> Users?
>
> Thanks
> Godwin
>
> On Thu, Jan 18, 2018 at 2:05 PM, Sathya Bandara  wrote:
>
>> Hi,
>>
>> On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal  wrote:
>>
>>> Hi Sathya,
>>>
>>> Ideally, user should get authenticated even you send without user store
>>> domain. right?
>>>
>>
>> Yes. user gets authenticated without the user store domain. If the user
>> is in super tenant domain(carbon.super), we can discard the tenant domain
>> as well.
>>
>>>
>>>
>>> Thanks
>>> Godwin
>>>
>>>
>>> On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara  wrote:
>>>
 Hi Thomas,

 Can you try with the following curl command.

 curl -v -X POST --basic -u : -H
 "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d
 "grant_type=password=/sathya1@carbon.super=admin"
  https://localhost:8243/token

 [1] https://docs.wso2.com/display/AM210/Password+Grant

 On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND <
 thomas.legr...@versusmind.eu> wrote:

> Hello,
>
> I configured the Identity Server (IS) to be the Key Manager of the API
> Manager (APIM). In the IS, I configured a secondary user store where I 
> will
> have my users of my applications. But, I think I missed something because
> when I want to generate a OAuth token for a user stored in this secondary
> user store, I have an error:
>
> My request:
>
> curl -k -d "grant_type=password=
> =" -H "Authorization: Basic
> "   https://apim:8243/token
>
> The response:
>
> {"error_description":"Authentication failed for
> @carbon.super","error":"invalid_grant"}.
>
> In the application in the store of the APIM, "Password" is ticked so
> the grant_type is right.
> And I tried with the following pattern for the :
> - 
> - /
> - \
>
> Can you help me? How can I ensure that the APIM uses all of the user
> stores from the IS.
>
> Regards,
>
> Thomas
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


 --
 Sathya Bandara
 Software Engineer
 WSO2 Inc. http://wso2.com
 Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

 <+94%2071%20411%205032>

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


>>>
>>>
>>> --
>>> *Godwin Amila Shrimal*
>>> Associate Technical Lead
>>> WSO2 Inc.; http://wso2.com
>>> lean.enterprise.middleware
>>>
>>> mobile: *+94772264165*
>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
>>> *
>>> twitter: https://twitter.com/godwinamila
>>> 
>>>
>>
>>
>>
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>
>
>
> --
> *Godwin Amila Shrimal*
> Associate Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>
> mobile: *+94772264165*
> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
> *
> twitter: https://twitter.com/godwinamila
> 
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-18 Thread Mushthaq Rumy 
Hi Thomas,

Do you have special characters in your password? If so could you please try
encoding the url characters in your password and execute the curl command
again?

Thanks & Regards,
Mushthaq

On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND <
thomas.legr...@versusmind.eu> wrote:

> Hello,
>
> I configured the Identity Server (IS) to be the Key Manager of the API
> Manager (APIM). In the IS, I configured a secondary user store where I will
> have my users of my applications. But, I think I missed something because
> when I want to generate a OAuth token for a user stored in this secondary
> user store, I have an error:
>
> My request:
>
> curl -k -d "grant_type=password=="
> -H "Authorization: Basic "
> https://apim:8243/token
>
> The response:
>
> {"error_description":"Authentication failed for @carbon.super","
> error":"invalid_grant"}.
>
> In the application in the store of the APIM, "Password" is ticked so the
> grant_type is right.
> And I tried with the following pattern for the :
> - 
> - /
> - \
>
> Can you help me? How can I ensure that the APIM uses all of the user
> stores from the IS.
>
> Regards,
>
> Thomas
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Mushthaq Rumy
*Software Engineer*
Mobile : +94 (0) 779 492140 <%2B94%20%280%29%20773%20451194>
Email : musht...@wso2.com
WSO2, Inc.; http://wso2.com/
lean . enterprise . middleware.


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-17 Thread Godwin Shrimal 
Yes, So Thomas's issue should be something different since he has used
correct format of a request(Without using user store domain).

@Thomas: Can you login to IS Management console and check secondary user
store's users are listing under Users & Roles->List-> Users?

Thanks
Godwin

On Thu, Jan 18, 2018 at 2:05 PM, Sathya Bandara  wrote:

> Hi,
>
> On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal  wrote:
>
>> Hi Sathya,
>>
>> Ideally, user should get authenticated even you send without user store
>> domain. right?
>>
>
> Yes. user gets authenticated without the user store domain. If the user is
> in super tenant domain(carbon.super), we can discard the tenant domain as
> well.
>
>>
>>
>> Thanks
>> Godwin
>>
>>
>> On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara  wrote:
>>
>>> Hi Thomas,
>>>
>>> Can you try with the following curl command.
>>>
>>> curl -v -X POST --basic -u : -H
>>> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d
>>> "grant_type=password=/sathya1@carbon.super=admin"
>>>  https://localhost:8243/token
>>>
>>> [1] https://docs.wso2.com/display/AM210/Password+Grant
>>>
>>> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND <
>>> thomas.legr...@versusmind.eu> wrote:
>>>
 Hello,

 I configured the Identity Server (IS) to be the Key Manager of the API
 Manager (APIM). In the IS, I configured a secondary user store where I will
 have my users of my applications. But, I think I missed something because
 when I want to generate a OAuth token for a user stored in this secondary
 user store, I have an error:

 My request:

 curl -k -d "grant_type=password=="
 -H "Authorization: Basic "
 https://apim:8243/token

 The response:

 {"error_description":"Authentication failed for
 @carbon.super","error":"invalid_grant"}.

 In the application in the store of the APIM, "Password" is ticked so
 the grant_type is right.
 And I tried with the following pattern for the :
 - 
 - /
 - \

 Can you help me? How can I ensure that the APIM uses all of the user
 stores from the IS.

 Regards,

 Thomas

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


>>>
>>>
>>> --
>>> Sathya Bandara
>>> Software Engineer
>>> WSO2 Inc. http://wso2.com
>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>>
>>> <+94%2071%20411%205032>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> *Godwin Amila Shrimal*
>> Associate Technical Lead
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>> mobile: *+94772264165*
>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
>> *
>> twitter: https://twitter.com/godwinamila
>> 
>>
>
>
>
> --
> Sathya Bandara
> Software Engineer
> WSO2 Inc. http://wso2.com
> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>
> <+94%2071%20411%205032>
>



-- 
*Godwin Amila Shrimal*
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94772264165*
linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
*
twitter: https://twitter.com/godwinamila

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-17 Thread Sathya Bandara 
Hi,

On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal  wrote:

> Hi Sathya,
>
> Ideally, user should get authenticated even you send without user store
> domain. right?
>

Yes. user gets authenticated without the user store domain. If the user is
in super tenant domain(carbon.super), we can discard the tenant domain as
well.

>
>
> Thanks
> Godwin
>
>
> On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara  wrote:
>
>> Hi Thomas,
>>
>> Can you try with the following curl command.
>>
>> curl -v -X POST --basic -u : -H
>> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d
>> "grant_type=password=/sathya1@carbon.super=admin"
>>  https://localhost:8243/token
>>
>> [1] https://docs.wso2.com/display/AM210/Password+Grant
>>
>> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND <
>> thomas.legr...@versusmind.eu> wrote:
>>
>>> Hello,
>>>
>>> I configured the Identity Server (IS) to be the Key Manager of the API
>>> Manager (APIM). In the IS, I configured a secondary user store where I will
>>> have my users of my applications. But, I think I missed something because
>>> when I want to generate a OAuth token for a user stored in this secondary
>>> user store, I have an error:
>>>
>>> My request:
>>>
>>> curl -k -d "grant_type=password=="
>>> -H "Authorization: Basic "
>>> https://apim:8243/token
>>>
>>> The response:
>>>
>>> {"error_description":"Authentication failed for
>>> @carbon.super","error":"invalid_grant"}.
>>>
>>> In the application in the store of the APIM, "Password" is ticked so the
>>> grant_type is right.
>>> And I tried with the following pattern for the :
>>> - 
>>> - /
>>> - \
>>>
>>> Can you help me? How can I ensure that the APIM uses all of the user
>>> stores from the IS.
>>>
>>> Regards,
>>>
>>> Thomas
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Godwin Amila Shrimal*
> Associate Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>
> mobile: *+94772264165*
> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
> *
> twitter: https://twitter.com/godwinamila
> 
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-17 Thread Godwin Shrimal 
Hi Sathya,

Ideally, user should get authenticated even you send without user store
domain. right?


Thanks
Godwin


On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara  wrote:

> Hi Thomas,
>
> Can you try with the following curl command.
>
> curl -v -X POST --basic -u : -H
> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d
> "grant_type=password=/sathya1@carbon.super=admin"
>  https://localhost:8243/token
>
> [1] https://docs.wso2.com/display/AM210/Password+Grant
>
> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND <
> thomas.legr...@versusmind.eu> wrote:
>
>> Hello,
>>
>> I configured the Identity Server (IS) to be the Key Manager of the API
>> Manager (APIM). In the IS, I configured a secondary user store where I will
>> have my users of my applications. But, I think I missed something because
>> when I want to generate a OAuth token for a user stored in this secondary
>> user store, I have an error:
>>
>> My request:
>>
>> curl -k -d "grant_type=password=="
>> -H "Authorization: Basic "
>> https://apim:8243/token
>>
>> The response:
>>
>> {"error_description":"Authentication failed for
>> @carbon.super","error":"invalid_grant"}.
>>
>> In the application in the store of the APIM, "Password" is ticked so the
>> grant_type is right.
>> And I tried with the following pattern for the :
>> - 
>> - /
>> - \
>>
>> Can you help me? How can I ensure that the APIM uses all of the user
>> stores from the IS.
>>
>> Regards,
>>
>> Thomas
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Sathya Bandara
> Software Engineer
> WSO2 Inc. http://wso2.com
> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>
> <+94%2071%20411%205032>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
*Godwin Amila Shrimal*
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: *+94772264165*
linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
*
twitter: https://twitter.com/godwinamila

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-17 Thread Sathya Bandara 
Hi Thomas,

Can you try with the following curl command.

curl -v -X POST --basic -u : -H
"Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d
"grant_type=password=/sathya1@carbon.super=admin"
 https://localhost:8243/token

[1] https://docs.wso2.com/display/AM210/Password+Grant

On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND <
thomas.legr...@versusmind.eu> wrote:

> Hello,
>
> I configured the Identity Server (IS) to be the Key Manager of the API
> Manager (APIM). In the IS, I configured a secondary user store where I will
> have my users of my applications. But, I think I missed something because
> when I want to generate a OAuth token for a user stored in this secondary
> user store, I have an error:
>
> My request:
>
> curl -k -d "grant_type=password=="
> -H "Authorization: Basic "
> https://apim:8243/token
>
> The response:
>
> {"error_description":"Authentication failed for @carbon.super","
> error":"invalid_grant"}.
>
> In the application in the store of the APIM, "Password" is ticked so the
> grant_type is right.
> And I tried with the following pattern for the :
> - 
> - /
> - \
>
> Can you help me? How can I ensure that the APIM uses all of the user
> stores from the IS.
>
> Regards,
>
> Thomas
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev