I am migrating old API manager to 4.1 (with one Gateway-worker and one Control-plane) and I want to reuse existing access token and set it in database.
In the old version, an API has an access token with infinite lifetime. This token is deployed in mobile apps, and it is not acceptable to regenerate a new token and redeploy the mobile app.
Actually, I have created the API in the new version (4.1). I'm using opaque token, and I can request this API with the opaque token. I just want to use my old access token instead.
I've tried to set this token in database :
UPDATE "IDN_OAUTH2_ACCESS_TOKEN" SET ACCESS_TOKEN = '64a84d453e9259d2104210035d8436f4',
ACCESS_TOKEN_HASH = '{"hash":"4cf7cd7f4ddc89b9900554bcf8e3ca71c605c59b278b3996a330f1fd4a3ff372","algorithm":"SHA-256"}'
WHERE ROWID = 'xxx'
Then I've restarted the gateway for clearing token cache.
I have tested options for disabling token cache : (just for testing)
[apim.cache.gateway_token]
enable = false
[apim.cache.km_token]
enable = false
[apim.cache.restapi_token]
enable = false
When I request a token, my old token is correctly returned by the key manager :
curl -k -X POST https://my-keymanager.dev/oauth2/token -d "grant_type=client_credentials" -H"Authorization: Basic XXXXX"
{"access_token":"64a84d453e9259d2104210035d8436f4","scope":"default","token_type":"Bearer","expires_in":xxx}
But when I try to call the API with this token,
curl -k -X GET "https://my-gateway.dev/test-api/32155" -H "accept: application/json" -H "Authorization: Bearer 64a84d453e9259d2104210035d8436f4"
I have always this error :
{"code":"900901","message":"Invalid Credentials","description":"Access failure for API:
/my-Api/v2.0.0, version: v2.0.0 status: (900901) - Invalid Credentials.
Make sure you have provided the correct security credentials"}
DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failed with error 900901 org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /eQuilibre/v2.0.0, version: v2.0.0 status: (900901) - Invalid Credentials
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:536)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:516)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:402)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:353)
at org.apache.synapse.api.API.process(API.java:403)
I think there is another step because the gateway don't call the key manager when I call the API.
How can I tell the Gateway to accept the new token ?
EDIT 1 :
I'm using Opaque token in API Manager 4.1 :
How to create an application that generate Opaque token in WSO2 APIM Manager 4.x versions
EDIT 2 :
I'm migrating from 2.6, but it should be the same problem with another version with opaque token. The only think I want to migrate is the value of the token.
Actually, I have created the API in the new version (4.1). I'm using
opaque token, and I can request this API with the opaque token. I just
want to use my old access token instead.
First of all, we no longer support Opaque tokens out-of-the-box in our latest product versions.
I am migrating old API manager to 4.1 (with one Gateway-worker and one
Control-plane) and I want to reuse existing access token and set it in
database.
From which version of API Manager are you trying to migrate? The source version is not mentioned. If the source deployment also has JWT tokens, you can migrate existing tokens into the new deployment by migrating your database using our migration scripts.
Based on the error message, I belive you are trying to invoke the new API with the old Opaque access token, whereas the new API Manager 4.1 uses the JWT token by default.
Contact WSO2 Support via [1] for any further support.
[1] https://apim.docs.wso2.com/en/latest/install-and-setup/upgrading-wso2-api-manager/upgrading-api-manager/
Yes, if you follow our standard migration scripts, you can migrate existing opaque tokens (that's what is used by APIM v2.6) as it is and your existing applications will continue to function as usual. Only the new applications will use JWT tokens.
Related
I created "test-App" application in API Manager WSO2 with the grant types of "refresh-token" "SAML2", "PASSWORD" "Client Credentials" and "JWT"
I also Created a "test"
To use the webservices behind API manager, First, I should call https://localhost:9443/oauth2/token) to get a access-token
Unfortunately, if I call the link again, instead of receiving the same access-token, the system will generate a new access-token and the previous access-token would be expired. ( I think this link is more like refresh token rather than get the access token).
So, How can I Separate getting available access-token and Refresh-token link in WSO2 API Manager ?
In the latest versions of API Manager you have JWT tokens. When you request a new token it always generates a new token. But it doesn’t revoke the previous access token.
In the earlier versions of APIM, opaque tokens were supported and it has a different behavior. When you request a token, if it is not expired you get the same token.
Please read more about refresh grant here https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/refresh-token-grant/
If you have not done any other configuration changes, invoking https://localhost:9443/oauth2/token URL will always generate a new JWT token without expiring the earlier one. However, the token validity can be changed in the Dev Portal while generating the access token.
we are moving WSO2 API from 3.1 to 4.1.
In 3.1 we are getting user profile all claims in X-JWT-Assertion header
But 4.1 we are not getting all claims. we are seeing only default claims.
can you help us how to get all claims.?
You can follow these steps.
Create an application in the devportal.
When you generate consumer key and secret in the devportal for this application, it creates the service provider underneath. This service provider will be available when you logged into the carbon console.
Click on the service provider and configure the claims under claim configuration. You can provide the required claims here as shown in the screenshot.
Update the user profile as in https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/update-profile/
Use the openid scope when generating the access token.
curl -k -X POST https://localhost:9443/oauth2/token -d
"grant_type=password&username=admin&password=admin&scope=openid" -H
"Authorization: Basic Base64Encoded(ck:cs)"
When the gateway generates the backend jwt, it adds the claims from the access token.
I need this feature in WSO2 Publisher or Devportal:
I have one api that need dynamic access token and Also I have another api with static Basic Authentication to provide that dynamic Access Token. Unfortunately I could not solve this with mediation. The policy is simple But I don't know whether WSO2 has this simple feature or not?
process: token api with basic Auth ==> provide dynamic access token ==> use access token in main api body and send.
Main API is our Endpoint in WSO2 API.
I could not solve this with Endpoint Security(Oauth2) and mediation(XML).
Version of WSO2-AM is 4.1.0 and this version is latest now.
Have you thought about using a vault, such as Hashicorp Vault, to fetch the the basic auth credentials.
From there use a custom sequence [2] that gets the token (step 1 in your diagram) and then get the token check results you need (step 2).
[1] https://apim.docs.wso2.com/en/latest/install-and-setup/setup/mi-setup/security/using-hashicorp-secrets/
[2] https://apim.docs.wso2.com/en/latest/reference/mediators/sequence-mediator/
I am currently setting up a fresh instance of WSO2 AM 3.2.0 from scratch because upgrading and migrating from version 2.1 did not work as expected. To avoid any inconvenience for current users I would like to keep using the already existing consumer_key and consumer_secret for each application so the access_token doesn't change when transitioning from 2.1 to 3.2.
Assume the consumer_key:consumer_secret being in use in version 2.1 is: original_key:original_secret.
When creating a new application in the AM 3.2 instance I, of course, get a new secret - say new_key:new_secret. To keep using the original combination I created a dump of the AM 3.2 database and in this dump I just replaced the new consumer_key and consumer_secret with the original ones like this:
sed -i 's/new_key/original_key/g' dump.sql and sed -i 's/new_secret/original_secret/g' dump.sql
and then I replaced the existing 3.2 database with this modified dump. After restarting the AM 3.2 I can see that the application is in fact using the original consumer_key and consumer_secret but when I generate an access_token it differs from the original access_token which I actually wanted to replicate.
I know that my approach is rather dirty but I'm wondering why it didn't work, though. Is there anything I missed -- or even better -- a clean solution for my problem?
The reason for getting the different access token is that apim 3.2.0 only supports JWT tokens by default, in 2.1.0 it only supports opaque tokens. I believe that you are getting JWT tokens with the above token calls which are different from opaque tokens.
In the above approach, you will lose the following data from the previous 2.1.0 setup.
APIs and artifact related information.
Application attributes + existing active tokens + scopes
Users that persisted in the existing platform.
However, if you just want to replicate the applications with client id and secret, the better approach would be as follows.
Using Devportal REST API
Use the dev portal rest APIs to create the application[1]. When providing the parameters specify the token type as OAUTH if you want to obtain an opaque token.
Map the client-id secret pair using map-keys resource[2]
I hope the above will be helpful to you.
[1]https://apim.docs.wso2.com/en/latest/develop/product-apis/devportal-apis/devportal-v1/devportal-v1/#tag/Applications/paths/~1applications/post
[2]https://apim.docs.wso2.com/en/latest/develop/product-apis/devportal-apis/devportal-v1/devportal-v1/#tag/Application-Keys/paths/~1applications~1{applicationId}~1map-keys/post
I a trying to deploy WSO2 API manager (APIM) with a custom valid certificate and to use the option to encrypt in the DB token and secret user information.
I can use my certificate all right, its green even in chrome and everything will work: token emission, api consomption with a token and token revocation. But, as soon as I try to use the option to encrypt tokens I get an error when trying to use the token. Token expired. If I push the logging to DEBUG level, nothing unusual happens but for the token being considered expired and APIM returns expired credentials.
Any one know how to use this options ? And yes, I have tried to set that option from the get go to make sure is active before any user, api, tenant or anything else is created on the server. If I deactivate it, every thing works normally for subscription taken after deactivation.
Thank you.