I am configuring WSO2 API Manager 1.10 with Prepackaged Identity server 5.0.
Have followed all steps in https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Identity+Server+5.1.0+as+a+Key+Manager+with+API+Manager+1.10.0.
I am able to do SSO with Identity server and API Manager. I am able to generated API tokens with Identity server.
When i try to regenerate it fails with error - Token revoke failed : HTTP error code : 400
Below are logs from Identity server
[2016-06-16 06:26:19,875] ERROR {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - Error while creating the Carbon OAuth token request
OAuthProblemException{error='invalid_request', description='Missing grant_type parameter value', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}
at org.apache.oltu.oauth2.common.exception.OAuthProblemException.error(OAuthProblemException.java:59)
at org.apache.oltu.oauth2.common.utils.OAuthUtils.handleOAuthProblemException(OAuthUtils.java:167)
at org.wso2.carbon.identity.oauth2.model.CarbonOAuthTokenRequest.initValidator(CarbonOAuthTokenRequest.java:91)
at org.apache.oltu.oauth2.as.request.OAuthRequest.validate(OAuthRequest.java:60)
at org.apache.oltu.oauth2.as.request.OAuthRequest.<init>(OAuthRequest.java:52)
at org.apache.oltu.oauth2.as.request.AbstractOAuthTokenRequest.<init>(AbstractOAuthTokenRequest.java:34)
at org.apache.oltu.oauth2.as.request.OAuthTokenRequest.<init>(OAuthTokenRequest.java:55)
at org.wso2.carbon.identity.oauth2.model.CarbonOAuthTokenRequest.<init>(CarbonOAuthTokenRequest.java:58)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:109)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Anyone faced same issues? any help is appreciated.
Related
i am using the Api Manager service and i have configured my API to use Oauth authentication but to an authentication server in my company, that is, i am not using Azure Active Directory but i get the following error: An HTTP connection to authorization server could not be established or it has been unexpectedly closed. And i do not know what it is lack to configure. I tried giving access to the IP of my API in the authentication server but the problem persists.
I was able to solve my problem. It was due first to my authentication server requiring a certificate so I had to add the certificate "Certificate CA". Then within the configuration of Oauth I had to add as parameters of the bopy the Client Id and secret ID and leave as an authentication method in the body
I am trying to use MobileFirst Server as a OAuth Server. The knowledge center provide detail step on how any external application can validate the token sent by Mobile client via MobileFirst Token validator end point. But not able to find proper documentation for request a new authorization token from mobile client from MFP Server.
In development environment we have a testtoken endpoint.
http://localhost:10080/OAuthExternalServer/authorization/v1/testtoken
{ "Authorization": "Bearer eyJqcG ......... }
How to get similar token from MFP production server on mobile client.
MFP Version: Server version: 7.1.0.00.20170330-0917
Thanks
With the OAuth security model, MFP server is your OAuth token provider. Upon completing the challenge server gives you an OAuth token. You need not do anything special in the ChallengeHandler for OAuth token. Refer to the samples here: https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.1/authentication-security/
If you are looking to use OAUTH for authenticating an external resource , refer the steps here https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.0/authentication-security/using-mobilefirst-server-authenticate-external-resources/
Here is an example token validator which uses introspectionData to validate https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/protecting-external-resources/jtv/
Basically Introspection Endpoint can be invoked to validate the token provided by MFP server
General OAuth flow with 7.1 for a default flow can be referred here https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.0/authentication-security/authentication-concepts/oauth-based-security-model/ .
I'm configuring SSO for EMM from :
https://docs.wso2.com/display/EMM201/General+Server+Configurations
And enabling SSO2 for WSO2 server from : https://docs.wso2.com/display/IS500/Enabling+SSO+for+WSO2+Servers#EnablingSSOforWSO2Servers-ConfiguringWSO2GovernanceRegistry
I've downloaded latest versions of:
WSO2 Application Server - 5.3.0
WSO2 Enterprise Service Bus - 4.9.0
WSO2 Governance Registry - 5.1.0
WSO2 Identity Server - 5.1.0
I followed steps but I think documentation is not updated and when I try access the Application Server: https://localhost:9444/carbon/ on browser I'm redirected to the Identity Server for authentication, but once I give credentials it gives following error
Command Prompt
ERROR {org.wso2.carbon.identity.sso.saml.processors.SP
InitSSOAuthnRequestProcessor} - ALERT: Invalid Assertion Consumer URL value 'https://172.20.1.171:9444/acs' in the AuthnRequest message from the issuer 'carbonServer'. Possibly an attempt for a spoofing attack.
Browser
SAML 2.0 based Single Sign-On
Error when processing the authentication request!
Please try login again.
There is a mismatch between the ACS url you have provided. You can solve this by updating the ACS URL from https://localhost:9444/carbon/ to https://172.20.1.171:9444/acs in the Service Provider.
It looks like ACS url in your authenticatoin request is 'https://172.20.1.171:9444/acs'. But you have configured something else for following in the SAML configuration(with issuer "carbonServer").
Make sure both values are same.
How can I get user information based on the token provided by WSO2 Identity Server?
I would like to print a custom welcome message to the user, but I have nothing except by access token.
thanks
I saw there is an implementation of OpenId Connect in WSO2 Identity Server that allows to get user info from an OAuth access token, but it's only in the 4.1.1 version (not yet released, i hope it will be released soon).
More info here : http://sureshatt.blogspot.fr/2013/03/openid-connect-basic-client-profile.html
You can also use the OAuth2TokenValidationService : when you call the validate function on a token, the user name associated to that token is sent in the answer (see OAuth2TokenValidationService.wsdl for more information on this service : https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.0.0/service-stubs/org.wso2.carbon.identity.oauth.stub/4.0.3/src/main/resources/OAuth2TokenValidationService.wsdl)
The OAuth2TokenValidationService is available in the 4.1.0 version of WSO2 Identity Server
I have a new WSO2 Identity server. I need to access an axis web service AuthenticationAdmin of WSO2 3.2.3 to authenticate a user. I tried to follow several tutorials but none helped.
Issuing https://localhost:9443/services/AuthenticationAdmin gives following error on browser:
message: Access to service metadata for service: AuthenticationAdmin
has been forbidden
description: Access to the specified resource (Access to service
metadata for service: AuthenticationAdmin has been forbidden) has been
forbidden.
And on console I get the error for the service not being found, as:
ERROR {org.apache.axis2.engine.AxisEngine} - The endpoint reference
(EPR) for the Operation not found is /services/AuthenticationAdmin and
the WSA Action = null. If this EPR was previously reachable, please
contact the server administrator..
Please guide me..
Change the,
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
elements value to 'true'. That will give you the access to the Admin service WSDLs.
start the carbon server, log-in and access the URL,
https://localhost:9443/services/AuthenticationAdmin?wsdl
you should see the wsdl of the admin service.
Use that wsdl to code-generate the client stub or use already created jar at [1]
Once you obtain the adminCookie through this service you can use that cookie for all subsequent admin operations.
[1] http://dist.wso2.org/maven2/org/wso2/carbon/org.wso2.carbon.authenticator.stub/3.2.0/
HTH