I've install a WSO2 API-M 1.10.0 and try to update the password of a user.
Steps:
Create a user in the tenant "carbon.super" and assign the user admin role at the same time.(success)
Using the credential of the user to change his password via web
service UserAdminService changePasswordByUser.(fail)
The request is:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://org.apache.axis2/xsd">
<soap:Header/>
<soap:Body>
<xsd:changePasswordByUser>
<!--Optional:-->
<xsd:userName>?</xsd:userName>
<!--Optional:-->
<xsd:oldPassword>?</xsd:oldPassword>
<!--Optional:-->
<xsd:newPassword>?</xsd:newPassword>
</xsd:changePasswordByUser>
</soap:Body>
</soap:Envelope>
And the error message is :
Error while updating password. Wrong old credential provided
I'm sure that the two passwords are correct and the credential is base64 encoded(account:oldPassword).Am I try to encode the passwords into something??
Thanks
Tom
I verified this scenario and it is working fine in both APIM 1.10.0 and 2.0.0. If you get that error that means the password has already been changed and your are trying to change it for the second time. Please try to login to the management console using the new password and make sure it has been changed.
Related
I need to find the REST/SOAP API for Password Policies (Password History and Password Pattern) and Login Policies (Account Locking and Account Disabling).
I am using WSO2 IS 5.9.0.
I am creating a Multi-tenant environment from WSO2. I am able to perform all the steps from code but not able to find API for these two settings.
I have to manually do this but this is just a workaround and need to figure out the WSO2 APIs for these.
Need curl request or documentation for these 2 settings API.
From WSO2 IS 5.10.0 onwards there is a rest API to update these configurations.
However, in 5.9.0 and before that, only SOAP APIs are available. You can use https://localhost:9443/services/IdentityGovernanceAdminService SOAP service for this purpose. There are 2 operations available in this service. getConnectorList and updateConfigurations.
You can use getConnectorList to find the available connectors and their property names. Then you can use updateConfigurations operation to update property value. Message body would look like below to update Password History validation count configuration.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gov="http://governance.identity.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<gov:updateConfigurations>
<gov:configurations>
<xsd:name>passwordHistory.count</xsd:name>
<xsd:value>6</xsd:value>
</gov:configurations>
</gov:updateConfigurations>
</soapenv:Body>
</soapenv:Envelope>
I've been trying to integrate SAML with WSO2 cloud.
I have some successful experience with other vendors like onelogin, okta, ping one.
But I get a obscure 500 error with wso2.
I get a 500 error with every request I try.
I don't need much - just a SAMLRequest format that will work for WSO2.
For example, now I'm passing:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest ID="z9dac5520-d4a4-4da9-b71a-483948c1655c" IssueInstant="2017-04-29T08:40:39.677Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
I defalate, base 64 encode and url encode it.
I tried different variations but nothing works
thanks
The request has no value for the Issuer element. Why would any IDP accept a request from an unidentified SP? You need to use a value that identifies the SP and that was previously registered out-of-band with the IDP.
Can you explain a bit more what you are trying to do here. Is that enable SAML based authentication via wso2 cloud for one of your application ? If that is the scenario, you need to login to Identity Cloud [1] and configure a service provider as described in [2]. Then only you can send SAML request to Identity Cloud for authentication.
[1] https://identity.cloud.wso2.com
[2] https://docs.wso2.com/display/IdentityCloud/Configuring+SSO+for+Custom+Applications
Once Service provider is configured to accept SAML requests as described in previous links, you can send standard SAML request to Identity Cloud. Sample SAML request is given bellow. Note that AssertionConsumerServiceURL, Destination, Issuer attributes should be changed as relavant for you. Each tenant gets a separate SSO service URL, which is in the format of "https://identity.cloud.wso2.com/identity/t/{TenantDomain}". This will be the value for "Destination" in SAML request.
<samlp:AuthnRequest AssertionConsumerServiceURL="http://apps.com/travelocity/home.jsp"
Destination="https://identity.cloud.wso2.com/identity/t/demo1org"
ForceAuthn="false"
ID="a9b1b4992f048bb1004677207cc97097a73e47cdaf4ba21360ef8cf38dc76702"
IsPassive="false"
IssueInstant="2017-05-02T12:59:45.409Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">wso2App1-wso2org-1.0</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Issuer"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
/>
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
I am implementing an OAuth 2 token flow using the password grant_type as per the WSO2 docs here
I have this working for logging in users in the web application I am working on currently, and am storing the retrieved access token in local storage.
If I wanted to check the token is still valid (say the user refreshes the browser), is there a request I can make to check access token is still valid and hasn't expired? I assume it would be some form of POST request to the token end point URL?
Thanks
To validate the token, there is a admin service which you can use.It's a SOAP service and calling "validate" method in admin service can used to validate the token.
Validation Endpoint
https://localhost:9443/services/OAuth2TokenValidationService/
Validate method will respond back to you with validity period. This service is an admin service which you can invoke through basic authentication and other authentication mechanisms such as mutual authentication.
I believe another approach is to call the token endpoint for new token. AFAIR if valid token exist, it's return it with the expiry time which you can calculate the validity period.
Another way is that, if possible you can store the token requested time and have a separate timer to check whether the validity time expired. At the very first time the token generation request make, it's return token with validity period.
As harsha89 mentioned you can use the OAuth2TokenValidationService to validate. Sample SOAP request will be like as follows
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth2.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:validate>
<xsd:validationReqDTO>
<xsd1:accessToken>
<xsd1:identifier>b443652fdc3642bb1b3ba8ebae99068</xsd1:identifier><!--access token received-->
<xsd1:tokenType>bearer</xsd1:tokenType>
</xsd1:accessToken>
<xsd1:context>
<xsd1:key></xsd1:key>
<xsd1:value></xsd1:value>
</xsd1:context>
</xsd:validationReqDTO>
</xsd:validate>
</soapenv:Body>
</soapenv:Envelope>
Sample response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:validateResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:type="ax2369:OAuth2TokenValidationResponseDTO" xmlns:ax2369="http://dto.oauth2.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2369:authorizationContextToken xsi:type="ax2369:OAuth2TokenValidationResponseDTO_AuthorizationContextToken">
<ax2369:tokenString>eyJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXpabFlqTTJaRFJoTlRabFlUQTFZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQSJ9.eyJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvYXBwbGljYXRpb25uYW1lIjoiRGVmYXVsdEFwcGxpY2F0aW9uIiwiZXhwIjoxNDQ2Nzg1NjczLCJzdWIiOiJhZG1pbjJAY2FyYm9uLnN1cGVyIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL3N1YnNjcmliZXIiOiJhZG1pbiIsImlzcyI6Imh0dHA6XC9cL3dzbzIub3JnXC9nYXRld2F5IiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL2VuZHVzZXIiOiJhZG1pbjJAY2FyYm9uLnN1cGVyIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvcm9sZSI6WyJJbnRlcm5hbFwvZXZlcnlvbmUiXSwiaWF0IjoxNDQ2NzgzMjExfQ.VY2J_stNVvCwdGdOn71yw96z0EnbtRabQBt8fDFO5LM4TyNmF56T4uXLGjPW-BaHFKEa21ao0s8zW3UVp3yh2Va5pJhJdEcNeSMHObVvDJBdrDbOqrFZnVG7hxV4n4yIJfWt3jciRQz-SdqVYKJuRF-Tn8qfX30m1s0cMeqEZ2A</ax2369:tokenString>
<ax2369:tokenType>JWT</ax2369:tokenType>
</ax2369:authorizationContextToken>
<ax2369:authorizedUser>admin2#carbon.super</ax2369:authorizedUser>
<ax2369:errorMsg xsi:nil="true"/>
<ax2369:expiryTime>1737</ax2369:expiryTime>
<ax2369:scope/>
<ax2369:valid>true</ax2369:valid>
</ns:return>
</ns:validateResponse>
</soapenv:Body>
</soapenv:Envelope>
I'd like to know if it is possible to retrieve the user claims via the UserAdmin SOAP interface? I have found when adding a user it is possible to specify user claims. Also i have noticed that get list of user by Claims is possible but I have not found how to retrieve all the claims of a user.
Any hint?
Thanks in advance.
You can try "RemoteUserStoreManagerService" for your purpose.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserClaimValues>
<ser:userName>admin</ser:userName>
</ser:getUserClaimValues>
</soapenv:Body>
</soapenv:Envelope>
Above request will return you the claims of admin user of its default profile.
EDIT
As per the comment you need the WSDL of new admin service.
By default WSDLs of admin services are hidden. To change that behavior open <IS_HOME>/repository/conf/carbon.xml then locate HideAdminServiceWSDLs tag and set it to false.
Then you can view WSDL of any admin service from the url
https://localhost:9443/services/<SERVICE_NAME>?wsdl
In this case
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
HTH,
DarRay,
I have found the WSO2 carbon admin service that can be used to add role permissions using admin webservices (setRoleUIPermission). Based on the WSDL I have no clue how it should be used.
This is the request SoapUI generates:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:mgt="http://mgt.user.carbon.wso2.org">
<soap:Header/>
<soap:Body>
<mgt:setRoleUIPermission>
<!--Optional:-->
<mgt:roleName>?</mgt:roleName>
<!--Zero or more repetitions:-->
<mgt:rawResources>?</mgt:rawResources>
</mgt:setRoleUIPermission>
</soap:Body>
</soap:Envelope>
How should rawResource be used?
Regards, nidkil
First i guess, it is great, if you can try out the method "getRolePermissions" in the API. This method returns all UI permission (management console related permissions) mentioning that whether role contains permission or not. Then you can see each permission has been identified by a resource value such as "/permission/admin/manage/modify/webapp". Therefore echo permission check box that is show under role permission UI, has some hidden String value. That is value that you need to pass as "rawResources" in this method. Ex if you want to give "login" permission to role "test". You need to pass like that.
AFAIK, these permissions that are return and can be set... is management console permissions that can be used in Carbon Admin services and in UI
<xsd:roleName>test</xsd:roleName>
<xsd:rawResources>/permission/admin/login</xsd:rawResources>