WSo2 API Manager and Keyrock - issue with roles - wso2

I have deployed WSo2 API Manager 4.1.0 on a Debian 10 machine using the ZIP archive.
I have configured my Keyrock instance as an external identity provider in the Management Console.
When I log in with the Keyrock admin account, I can access the Publisher of the API Manager.
However, with any other account, I get the following error:
Error 403 : Forbidden - The server could not verify that you are authorized to access the requested resource.
After many verifications, I think I have correctly configured WSo2:
WSo2 API Manager configuration:
Basic Claim Configuration
Role Configuration (I also tried to give all roles to the user)
Federated Authenticators / OAuth2/OpenID Connect Configuration
Just-in-Time Provisioning
Keyrock configuration:
Application configuration
Users authorization
I have no log for WSo2 when the error is displayed.
Here is the content of the JWT token that Keyrock sends back to WSo2:
{
"organizations": [],
"displayName": "",
"roles": [
{
"id": "1a209432-7bfe-4055-9028-a42524fc5418",
"name": "publisher"
},
{
"id": "8192fef7-d77d-4389-a618-082ccddd33ad",
"name": "apim_publisher"
}
],
"app_id": "babab169-10ea-4283-a64a-7fba4aca6ce9",
"trusted_apps": [],
"isGravatarEnabled": false,
"id": "1a8f660f-d32f-46c1-a5f5-80a5cbffd219",
"authorization_decision": "",
"app_azf_domain": "",
"eidas_profile": {},
"attributes": {},
"shared_attributes": "",
"username": "pierre.josselin",
"email": "email#example.com",
"image": "",
"gravatar": "",
"extra": "",
"iss": "http://localhost:3000",
"sub": "1a8f660f-d32f-46c1-a5f5-80a5cbffd219",
"aud": "babab169-10ea-4283-a64a-7fba4aca6ce9",
"exp": 1657904225,
"iat": 1657900625,
"at_hash": "9zTg2zPtFlbJpLmKE8Izsg=="
}
Thank you very much

Related

WSO2 SCIM 2 API to get all users by tenant not returning any user

I am using WSO2 identity server 5.7.0, i am calling the api https://[url]:[port]/t/tenantName/scim2/Users GET. The response received is the following with HTTP status 200:
{"totalResults":0,"startIndex":1,"itemsPerPage":0,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"]}
However, the user is not being returned, the tenant has its own admin user only. The expected response (working fine on another environment) is:
{
"totalResults": 1,
"startIndex": 1,
"itemsPerPage": 1,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"Resources": [
{
"emails": [
"user1#gmail.com"
],
"meta": {
"created": "2023-01-05T13:01:12Z",
"lastModified": "2023-01-05T13:01:12Z"
},
"roles": [
{
"type": "default",
"value": "Internal/subscriber,Internal/creator,Internal/publisher,Internal/everyone,admin"
}
],
"name": {
"givenName": "user1",
"familyName": "user1"
},
"id": "2e86d8e6-7db8-4600-a8bc-f3h1d54d8h6a",
"userName": "user1"
}
]
}
How to fix this? Are there any configuration that should be changed to return all users?
Note: SCIM is enabled in user-mgt.xml file
Recreating a new tenant after enabling the SCIM solved the issue, but the issue remains for the tenant that was created prior to enabling the SCIM.

Integrate external authorization server as OIDC IdP in Amazon Cognito

I want to integrate an external authorization server as an OIDC IdP with Amazon cognito. The authorization server application is being developed by another party so we can not do any changes or modifications in that service. On this url, https://docs.aws.amazon.com/de_de/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html some requirements have been specified for an OIDC IdP. I have also highlighted the points in the below image:
The problem is that the auth service which I want to integrate as an OIDC IdP does not support https. Also it supports only client_secret_basic client authentication which is not supported by AWS Cognito. When I hit the auth service Document Discovery URL http://auth-server:9000/.well-known/openid-configuration, I get the response:
{
"issuer":"http://auth-server:9000",
"authorization_endpoint":"http://auth-server:9000/oauth2/authorize",
"token_endpoint":"http://auth-server:9000/oauth2/token",
"jwks_uri":"http://auth-server:9000/oauth2/jwks",
"userinfo_endpoint":"http://auth-server:9000/userinfo",
"token_endpoint_auth_methods_supported":[
"client_secret_basic"
],
"response_types_supported":[
"code"
],
"grant_types_supported":[
"authorization_code"
],
"subject_types_supported":[
"public"
],
"id_token_signing_alg_values_supported":[
"RS256"
],
"scopes_supported":[
"openid",
"profile",
"email"
],
"userinfo_signing_alg_values_supported":[
"RS256"
],
"display_values_supported":[
"page"
],
"claims_supported":[
"auth_time",
"birthdate",
"email",
"email_verified",
"family_name",
"gender",
"given_name",
"iss",
"middle_name",
"name",
"preferred_username",
"sub",
"updated_at"
],
"claims_locales_supported":[
"en"
],
"ui_locales_supported":[
"en",
"de",
"fr",
"ru",
"sk"
],
"end_session_endpoint":"http://auth-server:9000/logout"
}
Can anyone guide me how I can solve this problem as I have mentioned that we can not change anything in the auth server because it has been developed by another company.

GCP API key is not valid in postman

I tried to create new dialogflow intent through postman. It is working in API Explorer but I can't able to connect dialogflow with postman. For doing this I have created some credentials,
New API key in GCP project
Oauth credentials in GCP project
Bearer token from google cloud SDK shell
Here I have used same API in postman but can't able to connect. How can I troubleshoot this?
{
"error": {
"code": 400,
"message": "API key not valid. Please pass a valid API key.",
"status": "INVALID_ARGUMENT",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "API_KEY_INVALID",
"domain": "googleapis.com",
"metadata": {
"service": "dialogflow.googleapis.com"
}
}
]
}
}

How can we get the phone number with Google OAuth API and facebook API used for social login?

How can we get the phone number with Google OAuth API login.
I am using scopes as
'scope' : 'https://mail.google.com https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.login '
and the request is as
var request = gapi.client.plus.people.get({'userId': 'me'});
Is there any scope we can use to get it.
I am getting response as with no sight of phone number :
{
"kind": "plus#person",
"etag": "\"vPymIyv1bT9LfmoUujkgN2yLMK0\"",
"gender": "male",
"emails": [
{
"value": "XXX#gmail.com",
"type": "account"
}
],
"urls": [
{
"value": "http://picasaweb.google.com/XXX",
"type": "otherProfile",
"label": "Picasa Web Albums"
}
],
"objectType": "person",
"id": "4354354334435465",
"displayName": "XXXXX YYYY",
"name": {
"familyName": "XXX",
"givenName": "YYYYY"
},
"url": "https://plus.google.com/1100335464643327",
"image": {
"url": "https://lh3.googleusercontent.com/-fgsdgfgU9-jU/AAAAAAAAAAI/AAAAAAAADkM/fgffdgdkM/photo.jpg?sz=50",
"isDefault": false
},
"isPlusUser": true,
"language": "en",
"ageRange": {
"min": 21
},
"circledByCount": 59,
"verified": false
}
if you want to get user phone numbers you have to have authorization from the user: see the following info page : https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
ask the user for this scope of authorization :
https://www.googleapis.com/auth/admin.directory.user.readonly
after you have authorization from user run the folowing request :
GET https://www.googleapis.com/admin/directory/v1/users/userKey
the response will be a JSON response formatted as followed:
https://developers.google.com/admin-sdk/directory/v1/reference/users#resource
one of the attributes is phone list.
hope it helps.
You can use google's people API to get the user's phone numbers.
To explore more you can try yourself.
Steps to explore:
Visit this link.
Select https://www.googleapis.com/auth/user.phonenumbers.read permission in People API v1 section
Click on Authorize API
Choose the account to log in
Grant permission
Click Exchange authorization code for tokens
Enter https://people.googleapis.com/v1/people/138262720636785143353?personFields=phoneNumbers,emailAddresses link, make sure you replace the UID
Click on send request to see the response

Show carbon username in WSO2 Identity Server 5.2 with OpenID

I can get id_token from WSO2 5.2 by hitting
https://localhost:9443/oauth2/token
The id_token can be customized by mapping local claim to OIDC claim in open id.
For instance, I can add role in the JWT token from WSO2. However, I can't get WSO2 user shows up in the token.
{
"at_hash": "VFjcb6kEgMrXIemmg7AAMQ",
"sub": "kramercecret",
"iss": "https://a2d92f278368:9443/oauth2/token",
"preferred_username": "Pikachu Jigglpuff",
"given_name": "Pikachu Jigglpuff",
"aud": [
"3j8Bf3bx_mdLagZgTjaZUeDHjAoa"
],
"azp": "3j8Bf3bx_mdLagZgTjaZUeDHjAoa",
"auth_time": 1467078553,
"scope": [
"Internal/everyone",
"Approver"
],
"name": "Pikachu Jigglpuff",
"exp": 1467082172,
"iat": 1467078572,
"email": "pikachu.jigglypuff#yahoo.com"
}
Has anyone done this before?
The purpose of this is to access the username in the ID_Token and let the spring security to decode the JWT token, then store the username in the database.
Thank you very much.