I have created and published an API from the WSO2 publisher and it works fine. But if I try and edit the API like adding a new scope, then the changes are not getting updated. The scopes do not get updated in the WSO2 Store and are not available when calling the login API.
What could be the reason?
APIM gateway has a resource cache which caches resource information (eg. scopes of resources). That cache is invalidated after every 15 mins by default. So, they may not be invalidated just after you modify them from publisher UI. So, you have to either wait 15 mins or restart the server.
All above is for gateway. If you don't see scopes in Store, there must be some issues occurred while creating scopes. You can check wso2carbon.log file for error logs.
Related
There is an API hosted in WSO2 APIM 4.1.0 and there are two different App subscribed to that API.
Before Unsubscribe:
I just unsubscribed one of App to delete the API subscription by follows wso2 doc
After Unsubscribe:
After unsubscribed , I can able to invoke WSO2 API by using unsubscribed Application token
It should now allow that unsubscribed app to invoke API. OR correct me if my understanding is wrong.
Postman :
Note: In above API Hit, I passed unsubscribed APP token as Authorization
In your case, you should not be able to invoke the API without a proper subscriptions. Although the token is valid, you should get a 403 HTTP code saying subscription validation has failed.
You can check whether the events are propagated successfully to your gateway node from the control plane node. This is basically when you have a distributed setup. If you have a HA setup, verify both nodes are working properly when it comes to event distribution.
Are you using the GA release of APIM 4.1.0? If so, this could be a bug in that was fixed later through U2 updates. When an application subscription is deleted, any API invocations done using the tokens of that application should fail due subscription validation with an error similar to the one below with a 403 HTTP code.
{"code":"900908","message":"Resource forbidden ","description":"User is NOT authorized to access the Resource. API Subscription validation failed."}
If you have a paid WSO2 subsciption, please try this scenario by taking the latest U2 updated/patched version of APIM 4.1.0 by referring this.
I tried the GA APIM 4.1.0 and this usecase worked as expected. Shall we verify the subscription delete event flow in the API gateway by enabling debug logs for gateway and keymanagement components?
Add the following configurations in the <APIM_HOME>/repository/logs/log4j2.properties
logger.gateway-component.name = org.wso2.carbon.apimgt.gateway
logger.gateway-component.level = DEBUG
logger.keymgt-component.name = org.wso2.carbon.apimgt.keymgt
logger.keymgt-component.level = DEBUG
make sure to add the newly created loggers as below.
loggers = gateway-component,keymgt-component, AUDIT_LOG, trace-messages, org-apache-coyote, ....
With these, subscribe and unsubscribe events should be displayed in the terminal. You can use them to verify the event flow.
I have created a token by using the following API Call
https://wso2identityseverip:port/oauth2/token
I used generated token in my API by postman which is giving an accurate response. But after 15 min of idle state when I use the same token in the API it is giving me an error.
{
"code": "900901",
"message": "Invalid Credentials",
"description": "Access failure for API: /url/1.0.0, version: 1.0.0 status: (900901) - Invalid Credentials. Make sure you have provided the correct security credentials"}
Requirement:
Token should expire after an hour. For this I have also added following configurations in my deployment.toml.
[session.timeout] idle_session_timeout= "60m" remember_me_session_timeout= "14d" extend_remember_me_session_timeout_on_auth=false
But still token is expiring in 15 min.
The token expiry time is an application-wise config, and the default oauth token timeout is set to 3600 s(1h). If you haven't changed this to 15m, see the following.
If you are experiencing an issue of the invalid token after session time out, it would happen if your application has enabled SSO Session Based access token binding. Also, you have configured to revoke access token at session expiry (this is by default enabled in WSO2IS-5.11.0 onwards https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#revoke-access-tokens-on-logoutsession-expiry).
Regarding session time-out configs:
The idle session time-out configs that you added as follows,
[session.timeout]
idle_session_timeout= "60m"
remember_me_session_timeout= "14d"
are only affected to each tenant that is created after adding the configuration. (Note the note in the green color box https://is.docs.wso2.com/en/5.11.0/learn/configuring-session-timeout/?query=idle_session_timeout#configuration)
In order to change the configs of the already created tenant or carbon.super tenant, you have to log into tenant via the management console, navigate to main tab -> Identity Providers -> Resident, and change the configs there.
Since the error code (code: 900901) is coming from the APIM side, these answers would also help you to troubleshoot
Refer:
https://stackoverflow.com/a/45173578/10055162
https://stackoverflow.com/a/55137885/10055162
I have tried this with latest IS 6.0.0.
You can change the following.
Default validity period for application access tokens
Default validity period for user access tokens
To do you can add the following to the deployment toml (change the values as per your wish).
[oauth.token_validation]
app_access_token_validity=1800
user_access_token_validity=1800
In the latest IS, the default expiry is 3600 seconds (1hr). But in your case it seems it isn't the case. Adding the above config will update the config files but it will not update your already created SP configs. The config change will take an effect from the next SP creation onwards. To update already created SPs, you have to do it from the carbon console Service Provider settings.
When you do this, make sure to change the refresh token validity period as well.
Starting with an API defined in WSO2 with no scopes associated to its endpoints...
... I get an access token and invoke them correctly.
Now I modify and publish my API, assigning a scope to one on the endpoints so that it requires the editor scope:
Now I invoke that editor scoped endpoint with the previous access_token and it works. This shouldn't happen since the token was given with the default scope, not the editor one.
Now I restart WSO2 and try again with the same token, getting the expected result of access denied:
(900910) - The access token does not allow you to access the requested resource</ams:description></ams:fault>%
I have needed to restart the platform so that scope changes are considered!! Is this a bug, a expected behaviour (it shouldn't...) of is there any way to force the refreshment of the endpoint requirements (appart from just publishing the changed API).?
If you generate a new access token after either modifying or deleting
a scope of an API resource that you had previously invoked, you will
not be able to access that particular resource of the API for a period
of 15 minutes, which is the default Gateway cache period, because the
WSO2 API Manager Gateway is designed to cache the details of the
resource on its side.
Ref: https://docs.wso2.com/display/AM250/Scope+Management+with+OAuth+Scopes
This is not a practical problem in a typical production environment, as API updates in a production environment are very rare.
However, if this is really a problem for you, you can override the default scope validator[1] by extending it to not to use this cache. This is configured in identity.xml.
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L92
Having WSO2 IS 5.0.0.SP1 backed by PostgreSQL there is another application reading user information using the SCIM service (filter=userNameEq...)
All works but after certain time the service returns "User is not authorized.." response with a single ERROR level log line. Since that moment all subsequent calls fail with "404 User is not authorized". Even when I log in using the admin account I have no access rights. This state takes for a few minutes and then all seems working again.
We traced the response message to the SCIM service implementation where the authorization is checked. However we are unable to find the root cause of the issue (suspecting some exception is qietly dropped, cache cleanup cleans more than it should, ...)
Any hint / idea is appreciated.
Carpe diem
Gabriel
This seems to be authorization issue. If after trying 3 fail login attempt user locked 0-minutes(Most user used 05 minutes). This is default settings of fresh WSO2 IS pack. After the configured locked-time user unlocked. Then the user have a login with valid credentials. If you need, you can change the login attempt,locked time.Please check [IS_HOME]/repository/conf/security/identity-mgt.properties file. It's having the all configuration.
Issue is resolved (or - reason is identified in another system). In the AD tree one of the domain controllers is external (cloud) and unable to authenticate the technical (wso2) datastore user. When the AD node hostname is resolved to the cloud node, then ldapsearch is unable to return any groups from a sub-domain of the cloud based domain controller (interesting - it doesn't fail).
We're looking to replace an existing API manager with wso2 and one of the features of the other platform is that we can identify a 'user' of the API at run time and have the throttling work.
The 'user' is not OAuth identified, rather they authenticate via the API and a session id is returned (so they've never registered at a 'store'). This session id is then used to setup the throttling at the API Manager. Additionally the other tool has code to look for the user logging in and using that id in the throttling. so if a user tries to login too many times per hour the API manager blocks the request in addition to too many requests for a logged in user per hour. The combinations of login attempts, API calls etc. are summed into the throttle. (All this was implemented by their services team years ago)
The main reason we need this is we don't want to force our old clients to go to OAuth immediately but want much more visibility, reporting and throttling.
Thoughts on how to do this with wso2? I see where we can add our own Handlers to the API to figure out session ids, login ids etc. but I don't see where to create the logic to do the throttling.
Thanks,
Chris
Login to Carbon and edit the tiers.xml (/_system/governance/apimgt/applicationdata/tiers.xml)。You can found the section <throttle:ID throttle:type="ROLE">Unauthenticated</throttle:ID>