we are moving WSO2 API from 3.1 to 4.1.
In 3.1 we are getting user profile all claims in X-JWT-Assertion header
But 4.1 we are not getting all claims. we are seeing only default claims.
can you help us how to get all claims.?
You can follow these steps.
Create an application in the devportal.
When you generate consumer key and secret in the devportal for this application, it creates the service provider underneath. This service provider will be available when you logged into the carbon console.
Click on the service provider and configure the claims under claim configuration. You can provide the required claims here as shown in the screenshot.
Update the user profile as in https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/update-profile/
Use the openid scope when generating the access token.
curl -k -X POST https://localhost:9443/oauth2/token -d
"grant_type=password&username=admin&password=admin&scope=openid" -H
"Authorization: Basic Base64Encoded(ck:cs)"
When the gateway generates the backend jwt, it adds the claims from the access token.
Related
i using wso2 to manager my group's api,so i publish my api to wso2 Publisher. My api has its own authentication by send a bearer token.The swagger document have the authorize button ,but when i import my api definition in wso2 Publisher.the authorize button is disappear.
i have these question
1、How should I send the original beaer token?
2、when i use swagger3 definition,it show some error,swaager3 is not supported by the import function?
anyone has suggesstion?
my wso2 version is: WSO2 API-M v4.1.0
WSO2 API Manager does support Swagger2 and Open API Specification (OAS) 3 and above.
And with regard to Bearer tokens in API Manager, you can generate a bearer token using the DevPortal for your APIs. You need to create a new Applicaiton, and subscribe to your API, and then you can generate a new JWT-based bearer token.
Please check this section in detail - https://apim.docs.wso2.com/en/latest/consume/consume-api-overview/
If your backend is OAUth protected you can use Endpoint security to add OAuth configs to generate a backend bearer token when calling the API. Take a look at this document.. Also if you want to import backend certificates to API Manager take a look at this document.
I am migrating old API manager to 4.1 (with one Gateway-worker and one Control-plane) and I want to reuse existing access token and set it in database.
In the old version, an API has an access token with infinite lifetime. This token is deployed in mobile apps, and it is not acceptable to regenerate a new token and redeploy the mobile app.
Actually, I have created the API in the new version (4.1). I'm using opaque token, and I can request this API with the opaque token. I just want to use my old access token instead.
I've tried to set this token in database :
UPDATE "IDN_OAUTH2_ACCESS_TOKEN" SET ACCESS_TOKEN = '64a84d453e9259d2104210035d8436f4',
ACCESS_TOKEN_HASH = '{"hash":"4cf7cd7f4ddc89b9900554bcf8e3ca71c605c59b278b3996a330f1fd4a3ff372","algorithm":"SHA-256"}'
WHERE ROWID = 'xxx'
Then I've restarted the gateway for clearing token cache.
I have tested options for disabling token cache : (just for testing)
[apim.cache.gateway_token]
enable = false
[apim.cache.km_token]
enable = false
[apim.cache.restapi_token]
enable = false
When I request a token, my old token is correctly returned by the key manager :
curl -k -X POST https://my-keymanager.dev/oauth2/token -d "grant_type=client_credentials" -H"Authorization: Basic XXXXX"
{"access_token":"64a84d453e9259d2104210035d8436f4","scope":"default","token_type":"Bearer","expires_in":xxx}
But when I try to call the API with this token,
curl -k -X GET "https://my-gateway.dev/test-api/32155" -H "accept: application/json" -H "Authorization: Bearer 64a84d453e9259d2104210035d8436f4"
I have always this error :
{"code":"900901","message":"Invalid Credentials","description":"Access failure for API:
/my-Api/v2.0.0, version: v2.0.0 status: (900901) - Invalid Credentials.
Make sure you have provided the correct security credentials"}
DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failed with error 900901 org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /eQuilibre/v2.0.0, version: v2.0.0 status: (900901) - Invalid Credentials
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:536)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:516)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:402)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:353)
at org.apache.synapse.api.API.process(API.java:403)
I think there is another step because the gateway don't call the key manager when I call the API.
How can I tell the Gateway to accept the new token ?
EDIT 1 :
I'm using Opaque token in API Manager 4.1 :
How to create an application that generate Opaque token in WSO2 APIM Manager 4.x versions
EDIT 2 :
I'm migrating from 2.6, but it should be the same problem with another version with opaque token. The only think I want to migrate is the value of the token.
Actually, I have created the API in the new version (4.1). I'm using
opaque token, and I can request this API with the opaque token. I just
want to use my old access token instead.
First of all, we no longer support Opaque tokens out-of-the-box in our latest product versions.
I am migrating old API manager to 4.1 (with one Gateway-worker and one
Control-plane) and I want to reuse existing access token and set it in
database.
From which version of API Manager are you trying to migrate? The source version is not mentioned. If the source deployment also has JWT tokens, you can migrate existing tokens into the new deployment by migrating your database using our migration scripts.
Based on the error message, I belive you are trying to invoke the new API with the old Opaque access token, whereas the new API Manager 4.1 uses the JWT token by default.
Contact WSO2 Support via [1] for any further support.
[1] https://apim.docs.wso2.com/en/latest/install-and-setup/upgrading-wso2-api-manager/upgrading-api-manager/
Yes, if you follow our standard migration scripts, you can migrate existing opaque tokens (that's what is used by APIM v2.6) as it is and your existing applications will continue to function as usual. Only the new applications will use JWT tokens.
I'm using WSO2 to create API (Bearer token). Then I want to configure it to auto-generate token (Basic Auth) and use response as access-token. How can I get that? Thank you so much!
In WSO2 APIM, you can protect your API resources with different mechanisms (OAuth2, API Key, Basic Authentication) or you can disable the security.
1. Disable API resource security
If you don't want any securities to your API you can disable them in the publisher portal --> Select the API --> Resources --> Expand the resource --> Disable the Security button --> Save
2. Secure API with Basic Authentication
If you want to secure your API resources with username and password (Basic Authentication) you can enable it by navigating to the publisher portal --> Select the API --> Runtime Configurations --> Application Level Security --> Select Basic --> Save
In the developer portal, you can invoke the API resources with the username and password. The sample curl command is provided below.
curl -X GET "https://localhost:8243/pizzashack/1.0.0/menu" -H "accept: application/json" -H "Authorization: Basic YWRtaW46YWRtaW4="
Please note that the above solution is given for APIM-3.2.0. For more details on securing the APIs using Basic Authentication please refer https://apim.docs.wso2.com/en/latest/design/api-security/api-authentication/secure-apis-using-basic-authentication/
I'm trying to config a service provider of WSO Identity Server v5.7.0 in order to export the UUID & roles of a user as part of JWT token. I've done like this but only roles are exported. UUID is not shown.
local claim:http://wso2.org/claims/userid. mandatory claim: yes
local claim:http://wso2.org/claims/role. mandatory claim: yes
Steps:
In wso2 is admin console->main tab->locate the service provider I've created.
In "claim configuration", I choose "use local claim dialect"; 3. In "Requested Claims" I Add Claim URI.
I've add "wso2.org/claims/userid" & "wso2.org/claims/role" and both of them are marked "mandatory claim"
After saving it. I use curl -u kbxx:Vyy -k -d "grant_type=password&username=youfa.mao&password=x&scope=openid" -H "Content-Type:application/x-www-form-urlencoded" xxx:yyy/oauth2/token to get the JWT token;
Only roles are in the token. The user UUID is not found
In WSO2 Identity Server password grant type issue id_token(JWT) by adhering to OIDC core specification. In order to get a user claim in JWT you should have a mapping between wso2 claims(http://wso2.org/claims) and OIDC claims ( http://wso2.org/oidc/claim ). For role claim this mapping is already there where http://wso2.org/role map to groups claim in OIDC dialect.
Please follow below steps in addition to what you did to get userid claim in id_token(JWT)
Add userid to OIDC claim dialect
Dialect URI: http://wso2.org/oidc/claim
Claim URI: userid
Mapped Local Claim: http://wso2.org/claim/userid
From management console UI "OIDC Scopes" add userid claim to openid scope.
You need to map wso2 claims to OIDC claims in order to achieve this. blog, blog section 6 with claim configuration will help you to understand how to add wso2 claim mappings.
I'm trying to achieve SSO among different application. The applications are:
API Manager 1.7.0 Store
API Manager 1.7.0 Publisher
Liferay 6.2
I managed to configure Liferay to login through Identity Server Openid and to configure API Manager to login through Identity Server generated SAML Token as detailed in API Manager documentation.
The SSO is working well between api store and api publisher.
The problem is that I can't achieve SSO between Liferay and API Manager. If I login to liferay with openID and I open the store or publisher URL the user is asked for username and password again.
How can I configure the IS to implement the desired scenario?
Thanks, Paolo
Are you using IS 5.0.0 version? Normally it would create a same session for all the login in IS 5.0.0 version. it means, if you login with OpenID, SAML2 or OAuth2, it does not matter, IS creates a common session for given user. Normally it should not ask the password again. If it is asked, it can be a bug. Can you just check whether there is a cookie called commonauthid in the browser? If you are using some older version of IS, you can enable the this property <AcceptOpenIDLogin>false</AcceptOpenIDLogin> in identity.xml file