Username Recovery throwing Callback URL validation failed - wso2

Wso2 identity server version : 5.11.0
After changing the admin password , I am getting below error during username recovery.
Error!
Callback URL validation failed. org.wso2.carbon.identity.mgt.endpoint.util.client.IdentityRecoveryException: Error while instantiating IdentityProviderMgtServiceStub
Error logged in Wso2 identity server wso2carbon.log:
[2021-09-06 03:29:02,012] [efd866e3-0236-46d7-bcc1-be378dfbcac8] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Login failed. Unauthorized login attempt 'admin[-1234]' at [2021-09-06 03:29:02,012+0000]
[2021-09-06 03:29:02,012] [efd866e3-0236-46d7-bcc1-be378dfbcac8] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2021-09-06 03:29:02,0012] from IP address 127.0.0.1 while trying to authenticate access to service IdentityProviderMgtService
Can someone please advise.
I changed admin password from WSO2 console, and login is working fine with updated password.
However during username recovery, it throws illegal access attempt in logs.
What am I missing here?
I already updated the new password in cipher-text.properties and user-mgt.xml file too.

You can do config overriding in the RecoveryEndpointConfig.properties file which located in
<IS_HOME>/repository/deployment/server/webapps/accountrecoveryendpoint/WEB-INF/classes
Change the
identity.server.service.access.password=admin
to the one that you updated in the admin console.

Related

Unable to login to wso2 carbon

I was configuring wso2 to user mysql db as primary source in deployment.toml file. service are running without any error. when i try to access carbon console i'm getting error in logs.
Error:-
ERROR {org.wso2.carbon.core.services.authentication.AuthenticationAdmin} - System error while Authenticating/Authorizing User : Operation is not supported
Please help me resolving
Thanks,
prudhvi

WSO2 - Reset password reports an AuthenticationException in the logs

We are using the ResetPassword API from UserInformationRecoveryService WSDL (https://localhost:9443/services/UserInformationRecoveryService), to request a password reset without captcha for the user 'dummy' with the following body, providing the admin/admin user.
<x:Envelope xmlns:x="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.mgt.identity.carbon.wso2.org" xmlns:xsd="http://beans.mgt.captcha.carbon.wso2.org/xsd">
<x:Header/>
<x:Body>
<ser:verifyUser>
<ser:username>dummy</ser:username>
</ser:verifyUser>
</x:Body>
</x:Envelope>
The request returns a 200 status code with the token but when checking the console, it reports the following error:
Invalid remote address detected.
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 0:0:0:0:0:0:0:1
Am I missing any configuration? The WSDL doesn't show any remote address field to send like the login API, so it should be something else.
Or is this log error expected?
UPDATE:
Here are the requested DEBUG logs of multiple wso2 components: http://hastebin.com/ubasixagev.coffee
log4j.logger.org.wso2.carbon.user.core=DEBUG
log4j.logger.org.wso2.carbon.identity=DEBUG
log4j.logger.org.wso2.carbon.identity.sso.saml=DEBUG
log4j.logger.org.wso2.carbon.identity.application=DEBUG
log4j.logger.org.wso2.carbon.identity.application.authentication.framework=DEBUG
log4j.logger.org.wso2.carbon.core=DEBUG
log4j.logger.org.wso2.carbon.identity.core=DEBUG

Show exact error messages in wso2 Authentication Endpoint

We are using wso2 authentication endpoint.When user account is locked or if the user doesnt exist or any other error in endpoint we are just getting username password invalid , while in wso2 logs i am getting the exact end point.I tried
<Parameter name="showAuthFailureReason">true</Parameter>
but it still throws the default error messsage . Is there any configuration to handle this.
when you enable showAuthFailureReason to true, it sends exact error code as query param authentication endpoint webApp. You have to customize the webApp to show custom error messages based on the error codes [1].
Thanks
Isura
[1] https://docs.wso2.com/display/IS500/Customizing+Error+Messages

WSO2 IS 5.0.0 error thrown then logging in as locked user

When using WSO2 IS 5.0.0 and setting a user account to locked, http://wso2.org/claims/identity/accountLocked, we get this error below when the login page posts back.
Authentication Error !
Something went wrong during the authentication process. Please try signing in again.
If the user is unlocked and login is re-attempted they will login successfully.
When looking at the wso2carbon.log on the IS we only see this error message recorded.
WARN {org.wso2.carbon.identity.mgt.IdentityMgtEventListener} - User account is locked for user : <user>. cannot login until the account is unlocked {org.wso2.carbon.identity.mgt.IdentityMgtEventListener}
Is there a way to prevent this exception or to catch it so that the login page is not replaced with an exception message?
Identity Server Login page resides in authentication-endpoint web app[1]. Login fail can be occurred due to reasons such as invalid credentials, invalid user and account Lock. It can be configured Identity server to send exact reason of login failure [2].
So, web app can be customized based on the login failure. (In your case account locking)
[1]https://docs.wso2.com/display/IS500/Customizing+Login+Pages
[2]https://docs.wso2.com/display/IS500/Customizing+Error+Messages

wso2 identity server Multifactor Authentication error

I am unable to implement Multifactor Authentication .
The error i am getting is
TID: [0] [WSO2 Identity Server] [2012-10-30 10:31:38,620] ERROR {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider} - login failed. Trying again.. {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider}
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate (SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:301)
This is for wso2 Identity Server 3.2.3 . Straight out of the box. No additional configuration performed to run this instance of Identity Server.
It appears that signing in as admin , the ldap authentication is completed and then authentication with gtalk is attempted when the error occurs.
Should I be setting my own configuration in the identity.xml where gtalk is being set?
<MultifactorAuthentication>
<XMPPSettings>
<XMPPConfig>
<XMPPProvider>gtalk</XMPPProvider>
<XMPPServer>talk.google.com</XMPPServer>
<XMPPPort>5222</XMPPPort>
<XMPPExt>gmail.com</XMPPExt>
<XMPPUserName>multifactor1#gmail.com</XMPPUserName>
<XMPPPassword>wso2carbon</XMPPPassword>
</XMPPConfig>
</XMPPSettings>
</MultifactorAuthentication>
I found out that I do need to set up a Google talk account.
I added the new settings to the MultifactorAuthentication configuration.
I restarted the server.
I edited the user account with another new Google talk account.
I logged out.
Logged back in via relyingparty URL with openid,
received communication over gtalk requesting pin.
I entered the pin and got logged in.
It would have been nice if wso2 had I their documentation the need to setup the settings for this configuration to get multifactor authentication to work out of the box.