Why unsubscribed Application token can be used to access WSO2 APIM endpoint? - wso2

There is an API hosted in WSO2 APIM 4.1.0 and there are two different App subscribed to that API.
Before Unsubscribe:
I just unsubscribed one of App to delete the API subscription by follows wso2 doc
After Unsubscribe:
After unsubscribed , I can able to invoke WSO2 API by using unsubscribed Application token
It should now allow that unsubscribed app to invoke API. OR correct me if my understanding is wrong.
Postman :
Note: In above API Hit, I passed unsubscribed APP token as Authorization

In your case, you should not be able to invoke the API without a proper subscriptions. Although the token is valid, you should get a 403 HTTP code saying subscription validation has failed.
You can check whether the events are propagated successfully to your gateway node from the control plane node. This is basically when you have a distributed setup. If you have a HA setup, verify both nodes are working properly when it comes to event distribution.

Are you using the GA release of APIM 4.1.0? If so, this could be a bug in that was fixed later through U2 updates. When an application subscription is deleted, any API invocations done using the tokens of that application should fail due subscription validation with an error similar to the one below with a 403 HTTP code.
{"code":"900908","message":"Resource forbidden ","description":"User is NOT authorized to access the Resource. API Subscription validation failed."}
If you have a paid WSO2 subsciption, please try this scenario by taking the latest U2 updated/patched version of APIM 4.1.0 by referring this.

I tried the GA APIM 4.1.0 and this usecase worked as expected. Shall we verify the subscription delete event flow in the API gateway by enabling debug logs for gateway and keymanagement components?
Add the following configurations in the <APIM_HOME>/repository/logs/log4j2.properties
logger.gateway-component.name = org.wso2.carbon.apimgt.gateway
logger.gateway-component.level = DEBUG
logger.keymgt-component.name = org.wso2.carbon.apimgt.keymgt
logger.keymgt-component.level = DEBUG
make sure to add the newly created loggers as below.
loggers = gateway-component,keymgt-component, AUDIT_LOG, trace-messages, org-apache-coyote, ....
With these, subscribe and unsubscribe events should be displayed in the terminal. You can use them to verify the event flow.

Related

Using WSO2 API Manager with Identity Server and SEPARATE Identity Server Key Manager

We're in the process of configuring our suite of WSO2 products in a development environment and we're having a hard time wrapping our heads around IS Key Manager.
What we're going for is an Identity Server (already configured) with an OAuth Service Provider that an external web page can log into. This is already complete, we can get our token through IS just fine.
We now want to take the same token, and pass it to API Manager, and have API Manager understand the token, and the roles within, and approve or deny the API request.
Further in, we want to pass the token to Enterprise Integrator (which API Manager calls) and get info from the token (user info, claims) within a sequence.
IS is configured and working in it's isolated way (tokens generated from it aren't being accepted by APIM). APIM is configured in that it is pointing to an EI API.
EI is only configured in that it has an API with sequences that do stuff.
I've read through these:
https://docs.wso2.com/display/AM260/Key+Concepts#KeyConcepts-KeyManager
https://docs.wso2.com/display/AM210/Configuring+WSO2+Identity+Server+as+a+Key+Manager
They suggest a separate Key Manager that all can speak to. Makes sense. But the Key Manager when downloaded is an APIM instance? And looking deeper into the documentation it seems like this Key Manager is meant to REPLACE the traditional Identity Server, which doesn't support our use case (we need a separate Identity Server that can federate freely with others).
I assume I'm not understanding something about the Key Manager configuration properly.
In short:
IS needs to have an OAuth service provider to login to. Once the token is generated there, it will be sent to an APIM endpoint. APIM should understand the roles, and authorize it through. EI should then receive the token from APIM and then also understand the roles and authorize it through.
How can I accomplish this?
I would assume you got to the page where "API Manager" download page. Then you got the download pack named "wso2am-2.6.0.zip"?
There is a link on the same download page under "Other Resources" -> "Identity Server as a Key Manager Pack". You can get the "wso2is-km-5.7.0.zip".
This is almost same as "wso2is-5.7.0.zip", except very few config modification. You could use almost all the IS features in the same way.

AWS Lex and Facebook Messenger Integration Not Working

I'm banging my head against the wall trying to get an AWS Lex based chatbot integrated with Facebook.
As far as I can tell, everything is set up correctly.
When I send a message to my page in Facebook, I don't get a reply. However, the analytics in my app shows that the app is getting messages, so I know the message is making it from the page to the app.
When I try to hit the AWS Lex Webhook directly using POSTMAN, the webhook responds to literally everything I sent to it with a blank HTTP 200 OK response.
The lambda function that is tied to the AWS Lex chatbot is not getting invoked as a result of the messages from Facebook because no logs are getting generated and cloudwatch doesn't show an attempts to run the lambda function.
Does anyone have any ideas?
UPDATE : I ended up engineering around this by bypassing the Facebook channel capability inside AWS Lex and using Lambda instead. I deployed a passthrough API which calls a lambda function and then interacts with AWS Lex via Boto3/Python. In theory this is all supposed to be taken care of from inside AWS Lex with the Facebook channel integration, but I wasn't able to get it to work so I just built around it.
Verify Amazon lex is properly configured with facebook messenger .
Check : Page access token
Verification token
App ID
Check if your webhook is subscribed to page you are messaging on.
Check if your facebook user is added as tester/admin/developer
Check if your latest version of BOt is published on intended alias.
Also while configuring webhook tick necessary options : messages, messaging_postbacks, messaging_optins, message_deliveries, message_reads, messaging_payments
This should resolve your head ache. If not please reply

Error while publishing an API in the WSO2 API Manager

When I publish an API in the WSO2 API Manager, the following error occurs:
Gateway Failures
Failed to Publish Environments
Production and Sandbox
Error while obtaining API information from gateway. Error while obtaining API information from gateway. Authentication failure
This could be due to an authentication failure. Please check whether username/password within <Environments> content element of root <APIGateway> element in api-manager.xml (<APIM_HOME>/repository/conf/api-manager.xml) is correct
I've had this issue.
When checking the logs I saw this:
URL context: /hrs/admihrsd/osb/documentWS/2.0.0 is already registered with the API: novakgo--hrs-admihrsd-osb-document-service:v2.0.0
The issue was someone was trying to publish a new API with the same context as another one. They should change the context and publish again, and the error is fixed. Context have to be unique.

How do I disable OAuth2 for a resource in WSO2's API Publisher?

I've created a simple API and I'm trying to publish it using WSO2's API Publisher (aka API Cloud). I've gone through all the steps, but it seems to require an Authorization header to access my endpoint. In older documentation, it says that I can change the "Auth Type" at the resource level.
https://docs.wso2.com/display/AM160/API+Resources
However, this option doesn't seem to be there in the current version. I tried to make it so the Authorization header was not required. Unfortunately, I still get the following error:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900902</ams:code>
<ams:message>Missing Credentials</ams:message>
<ams:description>Required OAuth credentials not provided</ams:description>
</ams:fault>
Is it possible to disable authentication for my API? I don't need it at this point in my project.
The document you have referred is from APIM 1.6. From APIM 1.7, the APIM team changed the API creation process to a 3-step process. It involves API Design, Implement and Manage. I think you have experienced this by now. In the Manage section, at the very bottom, it lists down the available resources of the API, their auth type, allowed tier and the scope allowed.
Default auth type is application & application user. If you click on that, you will get a drop down where you will see "None" as an option. If you set the auth type as none, you will be able to invoke the API without providing the OAuth token.
See the following screenshot where I have selected different Auth types when creating an API.
Open the configuration related to your API in ${AM_HOME}/repository/deployment/server/synapse-configs/default/api/ and remove the following part.
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>

Does WSO 2 API Manager prevent to XSS and CRSF security error

I'm researching WSO2 API Manager and I discover that if I use WSO2 API Publisher and API Store, I would meet XSS and CSRF security errors. With XSS, I see that WSO2 didn't encode HTML character input. With CSRF, I see that WSO2 didn't create token when I request from client to server and vise versa.
Does everyone know how to config WSO2 to prevent these security error or how to fix them.
Thanks in advanced.
On our side, there are a few things we do when publishing/consuming APIs via the API Publisher and API Store:
Set the Transports property to just HTTPS so that we can limit API availability to just HTTPS.
For each HTTP method, we set the Auth Type to either Application, Application User or both, but never none. This will force the client to utilize the WSO2 Access Token scheme to invoke the APIs hosted on the API Store.
On the client side, we have been invoking the Token API to generate and renew user and application access token so that we don't have to manually re-generate keys in the API Store.
Utilize API in-sequence to escape special characters.
We fix these type of security issues in our next release AM V 1.7.1. You can expect it in 3rd week of September.