Getting 403 error when trying to add new tenant - wso2

I added a service provider to WSO2IS and use its secret to get an access token, I then use this access token to execute endpoint https://localhost:9443/t/carbon.super/api/server/v1/tenants, but I am getting 403 error. An access token is for the admin user, that as far as I see has all privileges. Why am I getting a forbidden error and how can I fix it?

Follow the steps in https://stackoverflow.com/a/65371473/10055162. If you generated the token without passing the required scopes (In your case internal_list_tenants), you will get 403 Forbidden response from the REST API call. More info (3)

Related

Can't get ID token even with Auth code flow via Postman

I am trying to get ID token and Refresh token along with access token from Azure AD app via Postman by using below parameters:
GET
https://login.microsoftonline.com/mytenant_id/oauth2/v2.0/token
client_id='myclient_id'
&client_secret='myclient_secret'
&grant_type=authorization_code
&scope=https://graph.microsoft.com/.default
&redirect_uri=https://jwt.ms
I am able to get the access token, but not sure why I am not getting ID token and Refresh token along with it.
Atfirst, I tried with client_credentials flow, but I came to know I have to use auth code flow or OpenID Connect in order to get those tokens.
So I shifted to auth code flow. But still I'm getting access token only:(
I have also enabled the below options in the Portal
What else settings are needed to get the tokens? Any suggestions would be appreciated.
Edited:
I have given below API permissions:
Please note that, getting ID token and Refresh token along with access token depends on the scope/API permissions you grant to the application as mentioned in this MsDoc.
I tried to reproduce the same in my environment and added scopes like below:
After adding the openid and offline_access in the scope, I got all tokens successfully like below:

Unable to fetch list of Azure Resources via Postman

I am trying to fetch the list of resources present in my Azure Resource Group.
To do that, I got an access token by registering one app in Azure AD using the client_credentials flow.
But when I am using that token to query like below, I'm getting 401 Unauthorized - Authentication failed error.
Query that I used:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/resources?api-version=2021-04-01
I have owner access to all my resources but why am I getting 401 Unauthorized error. Is there any step that I missed?
Can anyone point me in a right path?
I came to know I have to give API permissions for Azure Service Management.
After giving user_impersonation, I changed the scope to https://management.azure.com/.default and got access token.
Using this token, I successfully got the list of resources without any errors.

Access denied in warehousingwebservice hybris

when calling warehousingwebservice in hybris 1905 it is giving access denied while in 1811 it is not. please assist with what should be changed to solve this problem
[RestHandlerExceptionResolver] Translating exception [org.springframework.security.access.AccessDeniedException]: Access is denied
tried doing
https://answers.sap.com/questions/12758632/there-is-no-resource-for-path-oauthtoken-hybris-60.html
and
https://answers.sap.com/questions/12767378/how-can-we-access-oauth2-using-postman.html
but problem still exists
What I can see is that you are requesting oauth token for grant_type=client_credentials which will give you a token to access non users services. Instead you would need to use grant_type=password.
For consignment services, you would need to request a token for authorized users group users for service you need to access. you would need t provide username and password while making a new token request.

WSO2 Federated IDP RefreshToken with invalid username

community.
I'm using WSO2 IS 5.7.0 to integrate an Angular app with an external IDP.
The external IDP is configured with SAML2 and the service provider Inbound Authentication is set with Oauth/OpenID.
The service provider uses Federated Authentication to comunicate with the IDP.
The user uid from the IDP is matched with the claim userid, so when I ask for an oauth token, I get the correct scopes (matching a local user with roles configured) to use the token with WSO2 AM. This is working well whe I get the initial oauth token using code grant.
If I introspect this token, I can verify the token belongs to the username XXXXXXXX and the scopes are the ones to consume an API on WSO2 AM, based on the roles associated to the local user XXXXXXXX.
The problem is when the refresh token is used to get a new access token after expiration. The new access token comes with the same scopes, but I cannot consume the same API I was consuming with the first token. I get a 403 Forbidden on every call and the AM log shows:
WARN - APIAuthenticationHandler API authentication failure due to Invalid Credentials
(The first WARN appears only once)
WARN - APIAuthenticationHandler API authentication failure due to The access token does not allow you to access the requested resource
(this WARN appears on the subsequent calls)
If I introspect the receibed token, I can see the same scopes as the original access token, but the username is different:
FEDERATED/XXXXXXXX#carbon.super.
I think this username change on the token information leads to the 403 error.
The problem is worst if I activate the Service Provider option "Use tenant domain in local subject identifier" on the Local & Outbound Authentication Configuration. In this case, every time I ask for a new token with refresh token, the tenant is appended to the username on an infinite loop:
XXXXXXXX#carbon.super#carbon.super#carbon.super#carbon.super
On every token I get, the introspect shows me another #carbon.super is appended to the username of the actual token. In this case, the FEDERATED/ is not always present on the username.
I expect the username associated to the refreshtoken to be equal to the one on the first access token.
Is there a configuration to solve this or this is a bug? is resolved on new releases of WSO2 IS?
(sorry for my english)
Thanks!
Similar issue is reported[1] and fixed with PR[2].
[1] https://github.com/wso2/product-is/issues/4472
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1022
If you don't have a WSO2 subscription, upgrading to the 5.8.0 will resolve the issue.

Wso2 User getting unauthorized

I am using Identity server 5.2.0 and api manager 2.0.0. I have implemented a method to use refresh token to get the new access token for a user if the token has expired. But after implementing this some of the users will be unauthorized. When the user tries to login, token and scopes will be returned correctly but when calling the an api with the token, the user is unauthorized. Deleting and adding the user with same username also does not solve the issue. Is there any setting that blocks a user that may cause this issue?
Are you sure, the application in APIM is subscribed to the API you're trying to invoke? If not, you need to do that.