WSO2 Custom claim handler not being called for password grant_type

WSO2 Custom claim handler not being called for password grant_type - wso2

I have been using WSO2IS as OIDC provider. I have implemented a custom claim handler which is working fine and being invoked when WSO2 receives grant_type "Authorization_code". The problem started when a Service Provider sent a request with grant_type=password. In this case, WSO2 succesfully authenticated the user and returned the JWT but... without custom claim as WSO2 did not invoke the custom claim handler.
This is the configuration I did in file <IS_HOME>/repository/conf/identity/application-authentication.xml for custom claim handler which is being invoked for grant_type=authorization_code.
<ClaimHandler>com.wso2.carbon.identity.custom.claim.handler.CustomClaimHandler</ClaimHandler>
this the debug log from WSO2:
TID: [-1234] [] [2018-04-06 11:34:38,199] DEBUG
{org.wso2.carbon.identity.auth.service.handler.HandlerManager} -
Created singleton instance for
org.wso2.carbon.identity.auth.service.handler.HandlerManager TID:
[-1234] [] [2018-04-06 11:34:38,200] DEBUG
{org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get
first priority handler for the given handler list. TID: [-1234] []
[2018-04-06 11:34:38,200] DEBUG
{org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get
first priority handler :
DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager)
TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG
{org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token
request received for Client ID EjQvbCf0pclp6eVO5lxTq23_lxQa, User ID
userldap, Scope : [ openid, email] and Grant Type : password TID:
[-1234] [] [2018-04-06 11:34:38,205] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler}
- Can authenticate with client ID and Secret. Client ID: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06
11:34:38,205] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler}
- Grant type : password Strict client validation set to : null TID: [-1234] [] [2018-04-06 11:34:38,206] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client
credentials were fetched from the database. TID: [-1234] []
[2018-04-06 11:34:38,206] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully
authenticated the client with client id : EjQvbCf0pclp6eVO5lxTq23_lxQa
TID: [-1234] [] [2018-04-06 11:34:38,207] DEBUG
{org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Oauth App
validation success for consumer key: EjQvbCf0pclp6eVO5lxTq23_lxQa
TID: [-1234] [] [2018-04-06 11:34:38,209] DEBUG
{org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener}
- Pre authenticator is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,210] DEBUG
{org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
- Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,210] DEBUG
{org.wso2.carbon.identity.claim.metadata.mgt.DefaultClaimMetadataStore}
- Assigned mapped attribute : ref from user store domain : PRIMARY for claim : http://wso2.org/claims/identity/accountDisabled in tenant
: -1234 TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG
{org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
- Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG
{org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener}
- post get user claim values is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG
{org.wso2.carbon.identity.core.util.IdentityUtil} - Error while
reading user store property CaseInsensitiveUsername. Considering as
case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG
{org.wso2.carbon.identity.governance.store.InMemoryIdentityDataStore}
- Loaded UserIdentityClaimsDO from cache for user :userldap with claims: {} TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG
{org.wso2.carbon.identity.recovery.handler.AdminForcedPasswordResetHandler}
- Handling event : PRE_AUTHENTICATION TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG
{org.wso2.carbon.identity.recovery.handler.AdminForcedPasswordResetHandler}
- PreAuthenticate - AdminForcedPasswordResetHandler for user : userldap#carbon.super TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG
{org.wso2.carbon.identity.core.util.IdentityUtil} - Error while
reading user store property CaseInsensitiveUsername. Considering as
case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,216] DEBUG
{org.wso2.carbon.identity.recovery.handler.AccountConfirmationValidationHandler}
- PreAuthenticate TID: [-1234] [] [2018-04-06 11:34:38,216] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
- Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,217] DEBUG
{org.wso2.carbon.identity.claim.metadata.mgt.DefaultClaimMetadataStore}
- Assigned mapped attribute : accountLock from user store domain : PRIMARY for claim : http://wso2.org/claims/identity/accountLocked in
tenant : -1234 TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG
{org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
- Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG
{org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener}
- post get user claim values is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG
{org.wso2.carbon.identity.core.util.IdentityUtil} - Error while
reading user store property CaseInsensitiveUsername. Considering as
case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG
{org.wso2.carbon.identity.governance.store.InMemoryIdentityDataStore}
- Loaded UserIdentityClaimsDO from cache for user :userldap with claims: {} TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG
{org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor}
- Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,222] DEBUG
{org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener}
- post authenticator is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,222] DEBUG
{org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor}
- Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG
{org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor}
- Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler}
- Token request with Password Grant Type received. Username : userldap#carbon.superScope : email openid , Authentication State :
true TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG
{org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry}
- OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler
Resource Owner : userldap#carbon.super Client Id :
EjQvbCf0pclp6eVO5lxTq23_lxQa Scope : email openid TID: [-1234] []
[2018-04-06 11:34:38,223] DEBUG
{org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry}
- OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler
Resource Owner : userldap#carbon.super Client Id :
EjQvbCf0pclp6eVO5lxTq23_lxQa Scope : email openid TID: [-1234] []
[2018-04-06 11:34:38,223] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added
OAuthTokenReqMessageContext to threadlocal TID: [-1234] []
[2018-04-06 11:34:38,223] DEBUG
{org.wso2.carbon.identity.core.util.IdentityUtil} - Error while
reading user store property CaseInsensitiveUsername. Considering as
case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} - SP wise token
expiry time feature is applied for tenant id : -1234and consumer key :
EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06
11:34:38,224] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler}
- Service Provider specific expiry time enabled for application : EjQvbCf0pclp6eVO5lxTq23_lxQa. Application access token expiry time :
null, User access token expiry time : null, Refresh token expiry time
: null TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler}
- OAuth application id : EjQvbCf0pclp6eVO5lxTq23_lxQa, access token validity time in milliseconds : 3600000 TID: [-1234] [] [2018-04-06
11:34:38,224] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil}
- Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06
11:34:38,230] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler}
- Infinite lifetime Access Token e88de89f-70d4-33d5-b447-5cd0135fd682 found in cache TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared
OAuthTokenReqMessageContext TID: [-1234] [] [2018-04-06 11:34:38,230]
DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -
Access token issued to client Id: EjQvbCf0pclp6eVO5lxTq23_lxQa
username: userldap#carbon.super and scopes: email openid TID:
[-1234] [] [2018-04-06 11:34:38,230] DEBUG
{org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Issuing
ID token for client: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] []
[2018-04-06 11:34:38,230] DEBUG
{org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor}
- Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Loading Basic Application Data of AdministradorOmnicanalidad TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- ApplicationID: 21 ApplicationName: AdministradorOmnicanalidad UserName: userldap TenantDomain: carbon.super TID: [-1234] []
[2018-04-06 11:34:38,232] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Reading Clients of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,233] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Reading Steps of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,236] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Reading Claim Mappings of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,237] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Reading Role Mapping of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,241] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil}
- Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06
11:34:38,241] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO}
- Retrieve access token for tokenId: e88de89f-70d4-33d5-b447-5cd0135fd682 with flag includeExpired: false
TID: [-1234] [] [2018-04-06 11:34:38,244] DEBUG
{org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder} -
Using issuer https://localhost:9445/oauth2/token Subject userldap ID
Token life time 3600 Current time 1523032478 Nonce Value null
Signature Algorithm RS256 TID: [-1234] [] [2018-04-06 11:34:38,244]
DEBUG
{org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback} -
Adding claims for user userldap#carbon.super to id token. TID:
[-1234] [] [2018-04-06 11:34:38,247] DEBUG
{org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback} -
User attributes not found in cache. Trying to retrieve attribute for
user userldap#carbon.super TID: [-1234] [] [2018-04-06 11:34:38,249]
DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Loading Basic Application Data of AdministradorOmnicanalidad TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- ApplicationID: 21 ApplicationName: AdministradorOmnicanalidad UserName: userldap TenantDomain: carbon.super TID: [-1234] []
[2018-04-06 11:34:38,251] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Reading Clients of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Reading Steps of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,255] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Reading Claim Mappings of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,256] DEBUG
{org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
- Reading Role Mapping of Application 21
If someone can point what did I miss, or what else I can try, It would be a great help.
Thanks.

Is there any specific reason write a custom claim handler for OIDC?
If you want to get custom claims with OIDC you could follow the below steps.
Go to management console->claims->Add->Add external claims->select dialect URI as http://wso2.org/oidc/claim, give your custom claim URI as External Claim URI, map the appropriate local claim.
Once you successfully added the custom claim under OIDC dialect, you have to mention the newly added custom claim URI in the registry under openid scope.The path is below.
Registry->Browse->/_system/config/oidc and then click on Add button of the properties. There you could see the scope values.

Claim Handlers are engaged as part of the authentications process in the authentication framework that resides within the Identity Server.
When you use the authorization grant type, user authentication is handled via the authentication framework. This also means that any claims added/modified using a custom claims handler will be engaged.
However, when you use the password grant type, user authentication and claim retrieval happens via the respective user store the user resides in. Since this authentication does not happen through the authentication framework your custom claim handler will not be engaged.

Related

WSO2 Please check password policy at DC for user

we trying to add new user to AD as secondary store in WSO2 but we got this problem
we tried to get more details from log file but we found the following :
TID: [-1234] [] [2018-01-04 23:25:19,052] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - value after escaping special characters in user02 : user02
TID: [-1234] [] [2018-01-04 23:25:19,062] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=user)(sAMAccountName=user02)) in SearchBase:
TID: [-1234] [] [2018-01-04 23:25:19,065] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for user02 is CN=user02,CN=Users,DC=DEVDC,DC=sure,DC=com,DC=sa
TID: [-1234] [] [2018-01-04 23:25:19,072] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for role: rolhejazi
TID: [-1234] [] [2018-01-04 23:25:19,072] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Using search filter: (&(objectcategory=group)(cn=rolhejazi))
TID: [-1234] [] [2018-01-04 23:25:19,077] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching in CN=Users,DC=devdc,DC=sure,DC=com,DC=sa
TID: [-1234] [] [2018-01-04 23:25:19,080] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Is role: rolhejazi exist: true
TID: [-1234] [] [2018-01-04 23:25:19,082] DEBUG {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} - Modifying role: CN=rolhejazi with type: 1 user: CN=user02,CN=Users,DC=DEVDC,DC=sure,DC=com,DC=sa in search base: CN=Users,DC=devdc,DC=sure,DC=com,DC=sa
TID: [-1234] [] [2018-01-04 23:25:19,400] DEBUG {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} - User: CN=user02,CN=Users,DC=DEVDC,DC=sure,DC=com,DC=sa was successfully modified in LDAP group: CN=rolhejazi
TID: [-1234] [] [2018-01-04 23:25:19,402] WARN {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - Unsecured connection is being used. Enabling user account operation will fail
TID: [-1234] [] [2018-01-04 23:25:19,411] ERROR {org.wso2.carbon.user.mgt.UserRealmProxy} - Error while enabling the user account. Please check password policy at DC for user : user02
org.wso2.carbon.user.core.UserStoreException: Error while enabling the user account. Please check password policy at DC for user : user02

WSO2 Error occurred while modifying user entry

We use WSO2 identity, and we are trying to add a new user to AD as secondary store by WSO2 the user
We created successfully, but also got an error message after user created as shown below:
]
in log file we catch this error:
TID: [-1234] [] [2018-01-05 21:59:13,215] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=user)(sAMAccountName=user022)) in SearchBase:
TID: [-1234] [] [2018-01-05 21:59:13,218] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for user022 is CN=user022,CN=Users,DC=DEVDC,DC=sure,DC=com,DC=sa
TID: [-1234] [] [2018-01-05 21:59:13,229] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for role: Domain Users
TID: [-1234] [] [2018-01-05 21:59:13,230] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Using search filter: (&(objectcategory=group)(cn=Domain Users))
TID: [-1234] [] [2018-01-05 21:59:13,235] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching in CN=Users,DC=devdc,DC=sure,DC=com,DC=sa
TID: [-1234] [] [2018-01-05 21:59:13,237] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Is role: Domain Users exist: true
TID: [-1234] [] [2018-01-05 21:59:13,240] DEBUG {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} - Modifying role: CN=Domain Users with type: 1 user: CN=user022,CN=Users,DC=DEVDC,DC=sure,DC=com,DC=sa in search base: CN=Users,DC=devdc,DC=sure,DC=com,DC=sa
TID: [-1234] [] [2018-01-05 21:59:13,249] DEBUG **{org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} - Error occurred while modifying user entry: CN=user022,CN=Users,DC=DEVDC,DC=sure,DC=com,DC=sa in LDAP role: CN=Domain Users
javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000528: UpdErr: DSID-031A11E2, problem 6005 (ENTRY_EXISTS), data 0
]; remaining name 'CN=Domain Users'**
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1408)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:257)

wso2 api manager throws exception Error in invoking validate key via thrift

I see this intermittent exception in my log file on unix server. My wso2 api manager is a standalone installation of 1.10.0. please help me understand this exception.
Stack trace below:
TID: [-1234] [] [2017-11-16 08:19:40,350] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispat
ched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2017-11-16 08:21:29,962] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispat
ched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2017-11-16 08:33:48,425] WARN {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl} -
Invalid session id for thrift authenticator. {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl}
TID: [-1234] [] [2017-11-16 08:33:48,425] ERROR {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl} - Error in invoking validate key via thrift.. {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl}
TID: [-1234] [] [2017-11-16 08:33:48,426] WARN {org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftKeyValidatorClientPool} - Login failed.. Authenticating again.. {org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftKeyValidatorClientPool}
TID: [-1234] [] [2017-11-16 08:33:48,437] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2017-11-16 08:33:48,437-0500] from IP address {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
TID: [-1] [] [2017-11-16 08:33:48,476] INFO {org.wso2.carbon.databridge.agent.thrift.internal.publisher.client.EventPublisher} - Session timed out for TCP,localhost:7614,TCP,localhost:7714,Thrift Session Expired Exception {org.wso2.carbon.databridge.agent.thrift.internal.publisher.client.EventPublisher}

From your above logs, I can see following error log related to thrift
TID: [-1234] [] [2017-11-16 08:33:48,425] ERROR {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl} - Error in invoking validate key via thrift.. {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl}
I don't really see a reason for above, but Can you please change to WSClient from ThriftClient. This configuration resides on api-manager.xml file.
There could be a connection issue related to thrift in your node.

WSO2 API Manager returns http 500 error code

Going thru the WSO2 API Manager logs, we noticed few occurrences where calls returned as HTTP 500 error and successful on subsequent retry by client. This does not happen all the time (at about 5% rate). And all these incidents are from the same source IP. Looking further, these calls that fails with HTTP 500, never get send to back-end endpoint for actual processing - Therefore, these calls are failed by WSO2 API Manager itself.
We have verified the CPU, Memory of WSO2 are at normal working level. Our WSO2 APIM environment is with no authorization token enabled (simple pass thru with throttle) - hence this can be counted out.
From log, the error 500 is returned almost immediate and retry typically happens within 200ms. And all these errors (about 49) happens within same hour.
We also not able to verify the exact error message as API calls is from one of our client.
Appreciate if you could list down all possibilities as why WSO2 may returned HTTP 500 in this case. Otherwise, how we able to investigate the scenario further. Thanks.
Here are relevant logs
WSO2 APIM AWS ELB access logs
$ grep 'fromIndex=394501&toIndex=395000' *.log
WSO2APIM_ELBACESS.log:2016-12-06T08:37:37.905822Z wso2-oss-server x.x.x.x:63598 x.x.x.98:8280 0.000042 0.001862 0.000023 500 500 0 293 "GET https://wso2apimanager:443/rest/request?view=full&fromIndex=394501&toIndex=395000&lastModifiedFrom=2016-12-05%2000%3A00%3A00 HTTP/1.1" "RestSharp/x.x.x.x" ECDHE-RSA-AES128-SHA TLSv1
WSO2APIM_ELBACESS.log:2016-12-06T08:37:38.102539Z wso2-oss-server x.x.x.x:63598 x.x.x.120:8280 0.000041 0.035397 0.000025 200 200 0 33 "GET https://wso2apimanager:443/rest/request?view=full&fromIndex=394501&toIndex=395000&lastModifiedFrom=2016-12-05%2000%3A00%3A00 HTTP/1.1" "RestSharp/x.x.x.x" ECDHE-RSA-AES128-SHA TLSv1
WSO2 APIM http access log
$ grep 'fromIndex=394501&toIndex=395000' *.log
http_access_2016-12-06.log_m1:x.x.x.x x.x.x.140 - - [06/Dec/2016:08:37:37 +0000] "GET /rest/request?view=full&fromIndex=394501&toIndex=395000&lastModifiedFrom=2016-12-05%2000%3A00%3A00 HTTP/1.1" - - "-" "RestSharp/x.x.x.x"
http_access_2016-12-06.log_m1:x.x.x.x x.x.x.72 - - [06/Dec/2016:08:37:37 +0000] "GET /rest/request?view=full&fromIndex=394501&toIndex=395000&lastModifiedFrom=2016-12-05%2000%3A00%3A00 HTTP/1.1" - - "-" "Synapse-PT-HttpComponents-NIO"
http_access_2016-12-06.log_m2:x.x.x.x x.x.x.140 - - [06/Dec/2016:08:37:37 +0000] "GET /rest/request?view=full&fromIndex=394501&toIndex=395000&lastModifiedFrom=2016-12-05%2000%3A00%3A00 HTTP/1.1" - - "-" "RestSharp/x.x.x.x"
Back-end AWS ELB access log
$ grep 'fromIndex=394501&toIndex=395000' *.log
BACKEND_ELBACCESS.log:2016-12-06T08:37:38.104641Z vpc-connect-api x.x.x.120:46946 x.x.x.23:80 0.000045 0.032717 0.000022 200 200 0 33 "GET http://backendserver:80/rest/request?view=full&fromIndex=394501&toIndex=395000&lastModifiedFrom=2016-12-05%2000%3A00%3A00 HTTP/1.1" "Synapse-PT-HttpComponents-NIO" - -
WSO2 API Manager 1 (wso2carbon.log)
TID: [-1234] [] [2016-12-06 08:34:47,427] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected {org.wso2.carbon.databridge.core.DataBridge}
TID: [-1234] [] [2016-12-06 08:35:18,069] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2016-12-06 08:35:47,850] INFO {org.wso2.andes.kernel.AndesRecoveryTask} - Running DB sync task. {org.wso2.andes.kernel.AndesRecoveryTask}
TID: [-1] [] [2016-12-06 08:37:13,485] WARN {org.apache.synapse.transport.passthru.TargetHandler} - http-outgoing-16702: Connection time out while in state: REQUEST_DONE {org.apache.synapse.transport.passthru.TargetHandler}
TID: [-1234] [] [2016-12-06 08:37:13,486] WARN {org.apache.synapse.endpoints.EndpointContext} - Endpoint : admin--XXX_APIproductionEndpoint_28 will be marked SUSPENDED as it failed {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:37:13,486] WARN {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : admin--XXX_APIproductionEndpoint_28 - current suspend duration is : 30000ms - Next retry after : Tue Dec 06 08:37:43 UTC 2016 {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:37:13,486] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 101507, ERROR_MESSAGE = Error in Sender {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2016-12-06 08:37:13,487] WARN {org.apache.synapse.transport.passthru.SourceHandler} - Connection time out after request is read: http-incoming-566702 {org.apache.synapse.transport.passthru.SourceHandler}
TID: [-1234] [] [2016-12-06 08:37:13,961] INFO {org.apache.synapse.endpoints.EndpointContext} - Endpoint : admin--XXX_APIproductionEndpoint_28 currently SUSPENDED will now be marked active since it processed its last message {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:37:18,342] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:39:18,007] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:40:17,933] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:41:17,725] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:43:17,811] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:45:17,892] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:47:18,363] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2016-12-06 08:50:47,850] INFO {org.wso2.andes.kernel.AndesRecoveryTask} - Running DB sync task. {org.wso2.andes.kernel.AndesRecoveryTask}
TID: [-1234] [] [2016-12-06 08:51:17,864] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:53:17,753] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:55:18,025] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:57:18,333] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:59:17,949] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
WSO2 API Manager 2 (wso2carbon.log)
TID: [-1234] [] [2016-12-06 08:34:54,620] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected {org.wso2.carbon.databridge.core.DataBridge}
TID: [-1234] [] [2016-12-06 08:36:18,043] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2016-12-06 08:37:13,674] WARN {org.apache.synapse.transport.passthru.TargetHandler} - http-outgoing-16760: Connection time out while in state: REQUEST_DONE {org.apache.synapse.transport.passthru.TargetHandler}
TID: [-1234] [] [2016-12-06 08:37:13,692] WARN {org.apache.synapse.endpoints.EndpointContext} - Endpoint : admin--XXX_APIproductionEndpoint_28 will be marked SUSPENDED as it failed {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:37:13,693] WARN {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : admin--XXX_APIproductionEndpoint_28 - current suspend duration is : 30000ms - Next retry after : Tue Dec 06 08:37:43 UTC 2016 {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:37:13,693] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 101507, ERROR_MESSAGE = Error in Sender {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2016-12-06 08:37:13,694] WARN {org.apache.synapse.transport.passthru.SourceHandler} - Connection time out after request is read: http-incoming-566592 {org.apache.synapse.transport.passthru.SourceHandler}
TID: [-1234] [] [2016-12-06 08:37:14,331] INFO {org.apache.synapse.endpoints.EndpointContext} - Endpoint : admin--XXX_APIproductionEndpoint_28 currently SUSPENDED will now be marked active since it processed its last message {org.apache.synapse.endpoints.EndpointContext}
TID: [-1] [] [2016-12-06 08:37:14,620] WARN {org.apache.synapse.transport.passthru.TargetHandler} - http-outgoing-16759: Connection time out while in state: REQUEST_DONE {org.apache.synapse.transport.passthru.TargetHandler}
TID: [-1234] [] [2016-12-06 08:37:14,621] WARN {org.apache.synapse.endpoints.EndpointContext} - Endpoint : admin--XXX_APIproductionEndpoint_29 will be marked SUSPENDED as it failed {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:37:14,621] WARN {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : admin--XXX_APIproductionEndpoint_29 - current suspend duration is : 30000ms - Next retry after : Tue Dec 06 08:37:44 UTC 2016 {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:37:14,621] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 101507, ERROR_MESSAGE = Error in Sender {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:14,818] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:15,255] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:29,543] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:35,137] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:35,568] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:35,990] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:36,409] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:37,899] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:38,327] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:41,129] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:41,545] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:37:42,969] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:38:09,156] INFO {org.apache.synapse.endpoints.EndpointContext} - Endpoint : admin--XXX_APIproductionEndpoint_29 currently SUSPENDED will now be marked active since it processed its last message {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:38:17,817] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2016-12-06 08:39:16,163] WARN {org.apache.synapse.transport.passthru.SourceHandler} - Connection time out after request is read: http-incoming-566604 {org.apache.synapse.transport.passthru.SourceHandler}
TID: [-1] [] [2016-12-06 08:39:19,169] WARN {org.apache.synapse.transport.passthru.SourceHandler} - Connection time out after request is read: http-incoming-566640 {org.apache.synapse.transport.passthru.SourceHandler}
TID: [-1234] [] [2016-12-06 08:39:19,648] ERROR {org.apache.synapse.transport.passthru.PassThroughHttpSender} - Failed to submit the response {org.apache.synapse.transport.passthru.PassThroughHttpSender}
java.lang.NullPointerException
TID: [-1234] [] [2016-12-06 08:39:19,649] ERROR {org.apache.synapse.core.axis2.Axis2Sender} - Access-Control-Allow-Headers:authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,Access-Control-Allow-Methods:GET,Access-Control-Allow-Origin:*,Content-Type:application/json,<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Body/></soapenv:Envelope> Unexpected error sending message back {org.apache.synapse.core.axis2.Axis2Sender}
org.apache.axis2.AxisFault: Failed to submit the response
at org.apache.synapse.transport.passthru.PassThroughHttpSender.handleException(PassThroughHttpSender.java:613)
at org.apache.synapse.transport.passthru.PassThroughHttpSender.invoke(PassThroughHttpSender.java:266)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
Caused by: java.lang.NullPointerException
TID: [-1234] [] [2016-12-06 08:39:19,650] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 0, ERROR_MESSAGE = Access-Control-Allow-Headers:authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,Access-Control-Allow-Methods:GET,Access-Control-Allow-Origin:*,Content-Type:application/json,<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Body/></soapenv:Envelope> Unexpected error sending message back {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:39:19,688] WARN {org.apache.synapse.core.axis2.Axis2Sender} - Trying to send a response to an already responded client request - Rest API Context : /rest {org.apache.synapse.core.axis2.Axis2Sender}
TID: [-1] [] [2016-12-06 08:39:20,249] WARN {org.apache.synapse.transport.passthru.ConnectCallback} - Connection refused or failed for : internal-vpc-connect-api-1883227725.ap-southeast-1.elb.amazonaws.com/x.x.x.43:80 {org.apache.synapse.transport.passthru.ConnectCallback}
TID: [-1234] [] [2016-12-06 08:39:20,252] WARN {org.apache.synapse.endpoints.EndpointContext} - Endpoint : admin--XXX_APIproductionEndpoint_29 will be marked SUSPENDED as it failed {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:39:20,254] WARN {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : admin--XXX_APIproductionEndpoint_29 - current suspend duration is : 30000ms - Next retry after : Tue Dec 06 08:39:50 UTC 2016 {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:39:20,254] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 101503, ERROR_MESSAGE = Error connecting to the back end {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:39:20,254] ERROR {org.apache.synapse.transport.passthru.PassThroughHttpSender} - Failed to submit the response {org.apache.synapse.transport.passthru.PassThroughHttpSender}
java.lang.NullPointerException
TID: [-1234] [] [2016-12-06 08:39:20,255] ERROR {org.apache.synapse.core.axis2.Axis2Sender} - Accept-Encoding:gzip, deflate,Access-Control-Allow-Headers:authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,Access-Control-Allow-Methods:GET,Access-Control-Allow-Origin:*,Content-Type:application/xml,password:Hjfawx99##,username:lynn#heatherjames.com,X-Forwarded-For:76.79.103.18,X-Forwarded-Port:443,X-Forwarded-Proto:https,<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Body><am:fault xmlns:am="http://wso2.org/apimanager"><am:code>101503</am:code><am:type>Status report</am:type><am:message>Runtime Error</am:message><am:description>Error connecting to the back end</am:description></am:fault></soapenv:Body></soapenv:Envelope> Unexpected error sending message back {org.apache.synapse.core.axis2.Axis2Sender}
org.apache.axis2.AxisFault: Failed to submit the response
at org.apache.synapse.transport.passthru.PassThroughHttpSender.handleException(PassThroughHttpSender.java:613)
at org.apache.synapse.transport.passthru.PassThroughHttpSender.invoke(PassThroughHttpSender.java:266)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
Caused by: java.lang.NullPointerException
TID: [-1234] [] [2016-12-06 08:39:20,255] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 101503, ERROR_MESSAGE = Error connecting to the back end {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:39:20,256] WARN {org.apache.synapse.core.axis2.Axis2Sender} - Trying to send a response to an already responded client request - Rest API Context : /rest {org.apache.synapse.core.axis2.Axis2Sender}
TID: [-1] [] [2016-12-06 08:39:22,936] WARN {org.apache.synapse.transport.passthru.ConnectCallback} - Connection refused or failed for : internal-vpc-connect-api-1883227725.ap-southeast-1.elb.amazonaws.com/x.x.x.43:80 {org.apache.synapse.transport.passthru.ConnectCallback}
TID: [-1234] [] [2016-12-06 08:39:22,942] WARN {org.apache.synapse.endpoints.EndpointContext} - Endpoint : admin--XXX_APIproductionEndpoint_29 will be marked SUSPENDED as it failed {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:39:22,945] WARN {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : admin--XXX_APIproductionEndpoint_29 - last suspend duration was : 30000ms and current suspend duration is : 30000ms - Next retry after : Tue Dec 06 08:39:52 UTC 2016 {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:39:22,945] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 101503, ERROR_MESSAGE = Error connecting to the back end {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:39:23,363] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
x 34 of similiar logs
TID: [-1234] [] [2016-12-06 08:39:52,303] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Executing default 'fault' sequence, ERROR_CODE = 303001, ERROR_MESSAGE = Currently , Address endpoint : [ Name : admin--XXX_APIproductionEndpoint_29 ] [ State : SUSPENDED ] {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:39:53,910] INFO {org.apache.synapse.endpoints.EndpointContext} - Endpoint : admin--XXX_APIproductionEndpoint_29 currently SUSPENDED will now be marked active since it processed its last message {org.apache.synapse.endpoints.EndpointContext}
TID: [-1234] [] [2016-12-06 08:42:19,456] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2016-12-06 08:42:56,120] INFO {org.wso2.andes.kernel.AndesRecoveryTask} - Running DB sync task. {org.wso2.andes.kernel.AndesRecoveryTask}
TID: [-1234] [] [2016-12-06 08:44:18,039] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:46:17,939] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:46:36,177] WARN {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl} - Invalid session id for thrift authenticator. {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl}
TID: [-1234] [] [2016-12-06 08:46:36,177] ERROR {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl} - Error in invoking validate key via thrift.. {org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl}
TID: [-1234] [] [2016-12-06 08:46:36,177] WARN {org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftKeyValidatorClient} - Login failed.. Authenticating again.. {org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftKeyValidatorClient}
TID: [-1234] [] [2016-12-06 08:46:36,231] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2016-12-06 08:46:36,231+0000] from IP address {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
TID: [-1234] [] [2016-12-06 08:48:17,776] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:49:18,033] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:50:17,748] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:52:18,419] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:54:18,051] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-06 08:56:17,815] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2016-12-06 08:57:56,120] INFO {org.wso2.andes.kernel.AndesRecoveryTask} - Running DB sync task. {org.wso2.andes.kernel.AndesRecoveryTask}
TID: [-1234] [] [2016-12-06 08:58:18,054] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = / {org.apache.synapse.mediators.builtin.LogMediator}

From your logs you can see that your backend was suspended and that is the cause of your 500 error. APIM will unsuspend the endpoint after a set time out period and allow you to try the endpoint again. It seems the backend was having some issues where it was most of the time working but sometimes unavailable causing the suspension of the endpoint.
Since this report is so old I'm using the most current documentation. You can see the same error code of 303001 on the Endpoint Suspension page.
I further created a quick demo of this situation using APIM 4.1.0 on my laptop and used an endpoint url of bogus.endpoint which of course will not resolve. I received the following message back using postman:
{
"code": "303001",
"type": "Status report",
"message": "Runtime Error",
"description": "Currently , Address endpoint : [ Name : DemoSuspention--vv1_APIproductionEndpoint ] [ State : SUSPENDED ]"
}
And it gave me a status result of: 500 Internal Server Error 40 ms 732 B
Normally when I run into this type of situation I reach out to the technical point of contact for the backend and report what I'm seeing. They normally can locate some kind of issue in their logs and then address it by either restarting a server or fixing a bug depending on what is found.

Refresh token returns invalid grant type

I'm trying to refresh the access token (based on https://docs.wso2.com/display/IS510/Refresh+Token+Grant) obtained from wso2 identity server; the server returns an invalid grant type response
{
"error": "invalid_grant",
"error_description": "Provided Authorization Grant is invalid"
}
The access token is obtained using the "authorization code" grant type with the openid scope.
I've turned on the logging on the server; however, I'm not able to determine the reason for the invalid grant type response. How can i get the WSO2 Identity Server to refresh my access token using the refresh token?
Logs from the server:
TID: [-1234] [] [2016-03-14 09:20:11,241] DEBUG
{org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token
request received for Client ID CHao3ZYUVY6tRX4jJ82yzh4NVpka, User ID
null, Scope : [openid] and Grant Type : refresh_token
TID: [-1234] [] [2016-03-14 09:20:11,241] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler}
- Can authenticate with client ID and Secret. Client ID: CHao3ZYUVY6tRX4jJ82yzh4NVpka TID: [-1234] [] [2016-03-14
09:20:11,241] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler}
- Grant type : refresh_token Strict client validation set to : null
TID: [-1234] [] [2016-03-14 09:20:11,242] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client
credentials were fetched from the database. TID: [-1234] []
[2016-03-14 09:20:11,242] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully
authenticated the client with client id : CHao3ZYUVY6tRX4jJ82yzh4NVpka
TID: [-1234] [] [2016-03-14 09:20:11,243] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client
credentials were added to the cache for client id :
CHao3ZYUVY6tRX4jJ82yzh4NVpka
TID: [-1234] [] [2016-03-14 09:20:11,245] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler}
- Invalid Refresh Token provided for Client with Client Id : CHao3ZYUVY6tRX4jJ82yzh4NVpka
TID: [-1234] [] [2016-03-14 09:20:11,245] DEBUG
{org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Invalid
Grant provided by the client Id: CHao3ZYUVY6tRX4jJ82yzh4NVpka
TID: [-1234] [] [2016-03-14 09:20:11,246] DEBUG
{org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -
OAuth-Error-Code=invalid_grant client-id=CHao3ZYUVY6tRX4jJ82yzh4NVpka
grant-type=refresh_token scope=openid

Question is old... Hopefully it can help someone else after this long ;).
I had the same issue. However, I resolved it by specifying the exact refresh token. It's worth noting that refresh_token is different from the access token. If you don't have/know your refresh_token, use this curl command to get it.
curl -k -d "grant_type=password&username=<username>&password=<password>" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
response will be like this:
{
"scope": "default",
"token_type": "Bearer",
"expires_in": 2604,
"refresh_token": "7d6e9047d44a84e6bae7e80e3996182d",
"access_token": "4255a34923eb464b6dc2983acffef4d8"
}
then use that refresh_token in your renew token curl call.
more details on the 1st curl request here
Peace out .V.

We Keep Coding

c++ django amazon-web-services regex python-2.7 google-cloud-platform list unit-testing opengl ember.js

WSO2 Custom claim handler not being called for password grant_type - wso2

Related

WSO2 Please check password policy at DC for user

WSO2 Error occurred while modifying user entry

wso2 api manager throws exception Error in invoking validate key via thrift

WSO2 API Manager returns http 500 error code

Refresh token returns invalid grant type

Categories

Resources