WSO2 maps the requested Url called in it to an Url in another server. How can see the mapped URL that WSO2 effectively called?
For debugging, another option you have is enabling wire logs.
1) Uncomment below line in <APIM_HOME>/repository/conf/log4j.properties
log4j.logger.org.apache.synapse.transport.http.wire=DEBUG
2) Restart the Server.
3) Send a request and wire logs can be found in console and <APIM_HOME>/repository/logs/wso2carbon.log file.
Just found an answer at WSO2 blog: [Trace API calls and responses](https://wso2.com/blogs/cloud/trace-api-calls-and-responses/}.
Open for editing the API that you want to trace,
Go to step 2 (Implement),
Click the Enable Message Mediation checkbox and then select the debug_ sequences from the dropdowns for all 3 flows below it
Click the Next: Manage button at the bottom of the screen,
Click Save & Publish at the bottom of the last step of the editing wizard.
Open the live log by clicking the Configure / Admin Dashboard menu, and then clicking Log Analyzer / Live Log Viewer in Admin Dashboard’s left-hand menu pane.
Now invoke the API (for example, in the API Store‘s API Console for that API).
You will see detailed information on the API request and response in the log
When you are done troubleshooting, disable the message mediation that you enabled in step 3.
This solution has a great disadvantage: you must have Analytics running (I don't have it now). But you can turn it on just for your own API. If you don't have Analytics running, you can compromise with #Bee solution below and some tail -f|grep .
Related
I have a web-app built with the AWS Amplify framework. I rely on Cognito Hosted UI w/ identity federation for registration and login. In reviewing the registrations for my app, I noticed that it got 70+ registrations, but of these only 12 went on to create user profiles. I tested creating an account and signing in through each identity provider (Amazon, Google, Facebook) as well as through standard signup with an email and password. I never had any issues.
I started testing more heavily on mobile and eventually I started to encounter the an error. I plugged my mobile device into my laptop, navigated to chrome//:inspect and checked the network tab and JS console. Only when my chosen identity provider required an OTP code, I noted that I was getting invalid_request and invalid_grant errors on after I input the code and continued with sign-in, even though registration seemed to work (I say registration seemed to work because I received AWS credentials in the initial response and amplify-signin-with-hostedUI was set to true in localStorage. Also, when I open the AWS Console and go to Cognito, I can see that I've been added as a user in my User_Pool).
If I refresh the browser at this point, it seems a new request is sent off to /token, but it comes back with a 400 error with the invalid_grant message.
I kept poking around and eventually found something interesting. There are three tabs involved in the login process, and I think this is somehow messing things up. On mobile, when I try to register or login with the Cognito Hosted UI, I am first met with the Federated Identity Provider buttons and email/password page.
First I got to my website (Tab One). Then I click sign-up and the Hosted UI page pops up (Tab Two). I select one of the login methods (Amazon, Google, Facebook, or Email/Password). If the selected method requires no OTP, I'm golden. I'm redirected to my web app and the app works fine. If my selected method requires an OTP, a new tab opens (Tab 3) which asks for the token. At this point, I can see in Chrome devtools that an error occurs on this tab (Tab 3).
After plugging in the OTP code and clicking sign-in, I'm redirected, as expected, back to the my web-app, but this redirect occurs in the original tab (Tab One), however with a query string added to the URL (/?code=). If I click the view tabs button, I see that the Hosted UI tab (Tab Two) is still open and still has the Cognito Hosted UI buttons/username+password page open. Not sure if that's important.
Now on Tab One with my web app, I don't immediately see any errors in Chrome devtools. But I can see that my app is unable to load. If I wait, it just loads and loads forever. If I refresh the page, then at this point I see a new request to /token fire off in the Network Tab of Chrome DevTools and it comes back with the 400 error invalid_grant response.
Has anyone else encountered this issue or found a resolution?
Thanks in advance!
I recently set up WSO2 Identity Server 5.7.0, and users have begun using it extensively. However, some are running into a problem where they accidentally hit the Back button in their browser after logging in, and they don't know how to get back to the application at that point. Refreshing the page does nothing, and trying to log in again takes them to an "Authentication Error" message on <IS_HOME>/repository/deployment/server/webapps/authenticationendpoint/retry.jsp, which does not provide any links to take them back to the service provider application.
I found this solution in the WSO2 documentation:
https://docs.wso2.com/m/mobile.action#page/85367898/header/CustomizingtheAuthenticationEndpoint-Handlingbrowserbackbuttonandbookmarkedloginpage
I have implemented the relyingPartyRedirectUrls resource under /_system/config/identity/config in the WSO2 Registry for each of the service provider applications defined in the environment, and it is working exactly as I had hoped in Firefox 68.3 ESR and Edge 44. However, it does not seem to work for Chrome 79 or Internet Explorer 11.
Problem script:
/logincontext?sessionDataKey=19283828-7f3a-49ff-a640-58b95d252b4d&relyingParty=my-sp-name&tenantDomain=carbon.super
In Firefox, this script contains the following code in the response:
{"status":"redirect","redirectUrl":"https://my.sp.com/"}
However, the same script in Chrome contains this code in the response:
{"status":"success"}
Do you have any recommendations for what tweaks I could make to the configuration in order to get this fix working in all (or most) browsers? If you have other recommendations for ways to mitigate the pain for users who don't think to click the "Forward" button in their browser, I would be very open to hearing them.
P.S. When a user tries to log in a second time after clicking the Back button, this is what shows up in wso2carbon.log:
TID: [-1234] [] [2020-01-13 18:52:20,400] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache
TID: [-1234] [] [2020-01-13 18:52:20,400] WARN {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Authentication context is null, redirect parameter filtering will not be done for 19283828-7f3a-49ff-a640-58b95d252b4d
P.P.S. I discovered that when I load a bookmarked URL in Chrome 79, the fix works as expected. Also, if I use the Back button to get to the login page and then refresh the login page, that also causes the fix to take me into the app. It is only the initial load of the login page after clicking the Back button where the fix doesn't work (in Chrome 79, at least; the fix doesn't work under any of those circumstances in IE 11).
I tested the Chrome 79 with the dashboard app with the above configs and it worked fine. Can you check with the dashboard application?
If you want you can create a git issue in https://github.com/wso2/product-is/issues to report this behaviour directly to WSO2 IAM team.
Another suggestion, if you find the retry.jsp not intuitive enough, you can always modify/replace that with your custom implementation. For example if you have one main application, then you can add the link to your homepage in the retry.jsp. Then users can always go back to your application using that link.
I'm building an AspNet Core 2.1 website using Azure AD B2C authentication, based on the example code I found here.
I can authenticate against the Google identity provider. But instead of showing a custom page based on the attributes I selected for the signup/signin policy in the Azure AD B2C portal, all I get is the normal Google authentication page asking me which Google account I want to authenticate against.
I was able to display a custom page listing all the attributes I'd defined in an earlier version of my project, which used the deprecated microsoftonline.com domain. But now that I'm using the recommended b2clogin.com domain the page is no longer appearing. I don't know if that change has anything to do with the missing page, but I thought I'd mention it.
My appsettings.json file is:
{
"AzureADB2C": {
"ApiScopes": "https://ridemonitor.onmicrosoft.com/api/user.read",
"ApiUrl": "https://ridemonitor.azurewebsites.net/hello",
"CallbackPath": "/signin-oidc",
"ClientId": "**redacted**",
"Domain": "ridemonitor.onmicrosoft.com",
"EditProfilePolicyId": "b2c_1_ProfileEditing",
"Instance": "https://ridemonitor.b2clogin.com/tfp",
"RedirectUri": "https://localhost:44305/signin-oidc",
"ResetPasswordPolicyId": "b2c_1_PWReset",
"SignUpSignInPolicyId": "b2c_1_SignUpIn"
},
"Logging": {
"LogLevel": {
"Default": "Warning"
}
},
"AllowedHosts": "*"
}
Update
I've configured two identity providers for my app, Google and Microsoft Account. The Microsoft Account provider does, in fact, display a customized page listing all the attributes I set in the Azure AD B2C portal when I authenticate it. It's just the Google route which has stopped displaying the custom attribute page.
The redirect uri in Google Cloud Platform -> Credentials is:
https://ridemonitor.b2clogin.com/ridemonitor.onmicrosoft.com/oauth2/authresp
which is the url I should be sent to, and used to be sent to by the Google identity provider, and is the url the Microsoft Account identity provider sends me to when I try to log in.
It looks like I need to update something in my Google configuration, but I'm not sure what.
Update #2
Using the Chrome developer's console, and Link Redirect Trace, I tried to see how I ended up on the pages I ended up on after clicking both the Google and Microsoft Account signin/signup links.
The Google button lands me on the generic Google login page. The initial redirect (there are several subsequent ones) appears to be:
https://accounts.google.com/signin/oauth?client_id=769952297467-qhqd9brt7pl4sra1hnjhnnqchce2h6f1.apps.googleusercontent.com&as=c-8m6tr-h2tUDpRHqIApkQ&destination=https://ridemonitor.b2clogin.com&approval_state=!ChR4aFltdld5TGNwWUEyUlA1R0R6TRIfczBDdExlN01TRElYa013TWpqbVNUV1h5alREUVloWQ%E2%88%99ANKMe1QAAAAAW7K6uQbexonsHodkbBOebSymUYB1yufO&oauthgdpr=1&xsrfsig=AHgIfE8msp705-PG2II5uHWqjoODqYSLPg
The initial redirect for the Microsoft Account button is:
https://login.live.com/oauth20_authorize.srf?client_id=704398a8-908a-4512-9cc0-4453014b4714&redirect_uri=https%3a%2f%2fridemonitor.b2clogin.com%2fridemonitor.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=openid+profile+email&response_mode=form_post&nonce=TQsICDEyv245x1E4pkQynQ%3d%3d&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6ZjBlYmQ4OTUtNmVjYS00NzBhLWE4ZDYtY2U4NTgyYzFmZmNjIiwiVElEIjoiNzIwZDg5NDEtNmM2Zi00YzIzLWI5MWEtZDMyZjJjODA5Yjk4In0
Comparing the two initial redirects, what's interesting is that the one for Google does not contain a parameter for the redirect_uri. Which I presume is the place the browser should be sent after a successful authentication.
Yet my Google credentials page would appear to be set up correctly:
Or am I maybe not configuring stuff in the right part of the Google ecosystem? I thought I was following some Microsoft directions regarding Google credentials, but...
Do you get any error messages?
Try using your browser's dev tools to check any error logs and identify the CSS styling that took effect in your html elements. It's possible that your custom classes are being those overwritten by the Google default styling.
You can edit the CSS within your browser's dev tools and then update the CSS files in Azure Blob Storage when you are happy with them.
Refer also to this thread and this one to see if these issue might be similar to yours.
I went quickly through setting up a custom page on AWS Cognition.
However when I go to the corresponding website:
https://**<custom-domain>**.auth.us-east-1.amazoncognito.com/
I get a blank page.
found the answer at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-ux.html
You can view the hosted UI with your customizations by constructing the following URL, with the specifics for your user pool, and typing it into a browser:
https://<your_domain>/login?response_type=code&client_id=<your_app_client_id>&redirect_uri=<your_callback_url>
You may have to wait up to one minute to refresh your browser before changes made in the console appear.
note that redirect_uri need to be escaped; e.g. / -> %2
p.s. next error that you encounter might be: invalid_request error on AWS Cognito Custom UI Page
I have upgraded a Sitecore to SC7.2. When I open the media browser I can't explore the media items because I am getting a 404 from the Web Item API. The configs seem correct but I am wondering if files/items didn't get installed.
The URL being requested is:
http://{domain}/-/item/v1/sitecore/shell?sc_itemid=%7B3D6658D8-A0BF-4E75-B3E2-D050FABCF4E1%7D&scope=c&sc_database=master&language=en&fields=__Hidden
Has anyone seen this before? Anyone know how I can check if the Web Item Api was installed correctly?
In order to check whether Item Web API is enabled or not.
1) Download Fiddler
2) Enter Query: http://sc8/-/item/v1/?scope=c&sc_database=master&query=/sitecore/content
[Note: sc8 will be replaced by your sitecore instance name]
3) If you have enabled Standard Security in Sitecore Item Web API -- Enter Login Credentials and Click Execute.
You will get the JSON response:
If you are getting the JSON response -- Your Sitecore Item Web API is enabled.
This was caused by a custom site resolver in the HttpBeginRequest pipeline that had been added as part of support fix.