I have running WSO2 IS 5.0.0 and from time to time I am not able to delete the users. I check into the database and I haven't active tokens, sessions and etc. but I can't remove the users. If I try to delete them though admin console (web page) then the users page just refresh and the user I am trying to delete is still there. If I try to consume Admin Service and perform the delete action everything seems to be fine but the user is still there. What may cause the problem?
This is the stack trace (partial) that I have in the logs after trying to delete the user from admin console:
[2016-08-02 11:07:16,415] ERROR {org.wso2.carbon.identity.oauth.listener.IdentityOathEventListener} - Error while retrieving OAuth application information
org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Duplicate entry 'PLCQPGJ8_yYZ9lOb36xFg3gmdVwa-randomUser#carbon.super-AP' for key 'CON_APP_KEY'
at org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO.revokeTokensByResourceOwner(TokenMgtDAO.java:931)
at org.wso2.carbon.identity.oauth.listener.IdentityOathEventListener.doPreDeleteUser(IdentityOathEventListener.java:92)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.deleteUser(AbstractUserStoreManager.java:865)
at org.wso2.carbon.user.mgt.UserRealmProxy.deleteUser(UserRealmProxy.java:752)
at org.wso2.carbon.user.mgt.UserAdmin.deleteUser(UserAdmin.java:190)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
This seems to be a Bug and as a workaround you can delete entries for that user from IDN_OAUTH2_ACCESS_TOKEN table and try deleting the user. Or as I mentioned you can install the SP for Identity Server and try. Or else you can migrate to the latest IS version.
Steps to reproduce this issue
Steps to reproduce:
1.Generate access token
2. Wait until token expires(VALIDITY_PERIOD)
3. Regenerate token
4.Revoke it.(OAuthAdminService is used)
The problem is not resolved on SP. I hope the 5.1.0 can solve this problem. If you have a custom jdbc user store you can modify your doDeleteUser cleaning the IDN_OAUTH2_ACCESS_TOKEN of the record of the user you are deleting before call super.doDeleteUser().
#Override
public void doDeleteUser(String userName) throws UserStoreException{
clean_idn_oauth2_access_token(userName);
super.doDeleteUser(userName);
}
I hope this could help you.
Related
I am trying to track down leaked values for GOOGLE_CLIENT_SECRET and GOOGLE_CLIENT_ID. I run this basic flask app here in docker, link it to localhost, edit /etc/hosts to map that to "myserver.local.com" and access the page. When I click Login on the "This app will attempt to authenticate you through Google OAuth 2.0" screen, I get this error
Authorization Error
Error 401: deleted_client
The OAuth client was deleted
Excluding the possibility of restoring the project within 30 days of deletion, can I take this to mean that the leaked keys do not pose a threat? I cannot find them in our projects, so I cannot just delete them myself.
The client ID contains the project number. The client ID is constructed the following way:
<PROJECT_NUMBER>-<RANDOM_STUFF>.apps.googleusercontent.com
If you have access to the project, you can access the list of credentials by going to the link https://console.cloud.google.com/apis/credentials?project=<PROJECT_NUMBER>.
In there, you can verify if the client ID has been deleted, and if not, delete it yourself.
You can also check if the project is pending deletion by using the same project number in this command (requires gcloud installed and properly authenticated):
curl -H"Authorization: Bearer $(gcloud auth print-access-token)" -H'Accept: application/json' \
'https://cloudresourcemanager.googleapis.com/v1/projects?filter=projectNumber%3A<PROJECT_NUMBER>'
As per the API definition, if the response has the field "lifecycleState":"DELETE_REQUESTED", it means that the project is pending deletion but still recoverable.
All of these steps are contingent to you having access to the project with the credentials. If you don't have that access, you should find somebody who has. If that project was within an organization, someone with permissions at the organization level should have access to all the projects within.
With all that said, the error does look like it means the client was deleted, and there is no way to recover deleted credentials, at least according to the warning message when deleting one:
The biggest danger I see is that the leaked credentials contain the project number, but abusing only a project number is pretty hard.
To ensure that your access token is revoked you can perform any of the following actions:
Tokens: delete --> Delete all access tokens issued by a user for an application.
gcloud auth revoke --> Revokes the user account token on the server:
Programatically revoke access
Change password
You can also track your token with the OAuth Token audit log to see when and by who it was used.
When I try to log into the Store with the Admin account, it displays the following message:
No Privileges to login
You do not have permission to login to this application. Please contact your administrator and request permission.
I have checked and made sure the Admin account does indeed have the permissions it needs to log into the Store. I even created a new account and gave it all permissions, and it won't allow that account to log in either.
I even went as far as to dig into the database itself through MySQL, and best I can tell the proper permissions are there.
The last time this happened to me, I ended up unzipping a fresh copy of the EMM product and creating a brand new database for it because I couldn't figure out a solution. I tried unzipping a fresh copy of the EMM product, but running on the same database, it had no change in behavior. I have a database full of data I don't want to lose now, so I'd much rather find a fix than have to wipe it all out again!
WSo2 EMM 2.0.0
Windows Server 2012 R2
MySQL 5.5
EDIT: relevant logs:
TID: [-1234] [] [2016-03-25 05:21:19,862] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2016-03-25 05:21:19,862-0500]
TID: [-1234] [] [2016-03-25 05:21:19,862] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2016-03-25 05:21:19,0862] from IP address 10.200.201.108 while trying to authenticate access to service RemoteAuthorizationManagerService
TID: [-1234] [] [2016-03-25 05:21:19,909] WARN {JAGGERY.controllers.acs:jag} - User admin#carbon.super does not have permission to access the store application. Make sure the user has the store role.
I figured it out!
The issue is specifically triggered by changing the password on the admin account to anything but "admin". Changing it back appears to rectify the issue.
Obviously this is a bug, as the admin account should be able to have its password changed and still be able to log into the Store. To be clear, there was never any issue logging into the Publisher; just the Store. Additionally, if the admin password was changed, no accounts could log into the Store at all, regardless of their permissions level.
I tested this with a fresh EMM pack, version 2.0.0 and 2.0.1, using the H2 and MySQL 5.5. In all cases the issue occurred.
A bug report has been filed on WSo2's JIRA board here.
Is there are any configuration changes in your side.I got EMM 2.0.0 fresh pack and configure mysql 5.5.I tried to login emm store but It is working properly.
This issue is raised in once we are trying change the password from the EMM console. But We can change the admin password from the /repository/conf/user-mgt.xml
<AdminUser>
<UserName>admin</UserName>
<Password>admin</Password>
</AdminUser>
and /repository/conf/app-manager.xml admin credintials.
Having WSO2 IS 5.0.0.SP1 backed by PostgreSQL there is another application reading user information using the SCIM service (filter=userNameEq...)
All works but after certain time the service returns "User is not authorized.." response with a single ERROR level log line. Since that moment all subsequent calls fail with "404 User is not authorized". Even when I log in using the admin account I have no access rights. This state takes for a few minutes and then all seems working again.
We traced the response message to the SCIM service implementation where the authorization is checked. However we are unable to find the root cause of the issue (suspecting some exception is qietly dropped, cache cleanup cleans more than it should, ...)
Any hint / idea is appreciated.
Carpe diem
Gabriel
This seems to be authorization issue. If after trying 3 fail login attempt user locked 0-minutes(Most user used 05 minutes). This is default settings of fresh WSO2 IS pack. After the configured locked-time user unlocked. Then the user have a login with valid credentials. If you need, you can change the login attempt,locked time.Please check [IS_HOME]/repository/conf/security/identity-mgt.properties file. It's having the all configuration.
Issue is resolved (or - reason is identified in another system). In the AD tree one of the domain controllers is external (cloud) and unable to authenticate the technical (wso2) datastore user. When the AD node hostname is resolved to the cloud node, then ldapsearch is unable to return any groups from a sub-domain of the cloud based domain controller (interesting - it doesn't fail).
I've gotten WSO2 working on the server. I can login through the management console and EMM, publisher, and store are all working. I can create a new user through the EMM dashboard, and the email is sent correctly. So everything is fine while using the website.
I'm using the sample APK that comes with WSO2 to do some development, but every time I try to register the app pops up "Authentication Failed - Cannot proceed the authentication. Please contact an administrator." And there is no output in the console when this happens.
If I put in the incorrect credentials I get a separate error, "Authentication Failed - Incorrect login information. Please try again." So I know my credentials are correct.
What does this mean? Is there another place to find more detailed logs?
Have you tried debugging the Android-agent ? If so you might be able to provide more information regarding this issue by looking at agent debug logs.
BTW did you tried enrolling as the admin user?
I have a situation where I need to setup a standalone version of wso2 Identity Server and have that act as the SSO provider into all of the products in Stratos.
Currently I have Stratos Identity Server configured so that I can login via the standalone Identity Server, using admin.
However, if I use another user I either
get a "Authorization Failure"
or cannot login.
First Question
1) I have the same user created in both Identity Server (that is not admin). Why would I get the "Authorization Failure" ?
Second Question
2) Why is it I can not even get to the "Authorization Failure" problem if I have a user created with username in format of user#domain.com ?
UPDATE:
I figured out that if I remove the property tags in user-mgt.xml that reference the usernames with regular expressions I am able to create usernames in the format of name#domain.com. But I am still unable to use that username to login, the error log says that the account has not been activated.
I also created two instances of wso2 identity server and configured them in such a way to test being able to use one to login to the other. I was able to do this by making sure that the same username and password was in both servers list of users. This way I do not get the "Authorization Failure"
The answers I came up with.
1. I need to have the same username and password in each Identity Server.
2. I cannot have format name#domain.com unless I have Multi-tenancy configured. Otherwise wso2 will try to find the ACTIVATE field in the Tenant table and not find it.
UPDATE: I got this installed and configured and it turned out that I now get another error about
Issuer details are not valid. Issuer details should be registered in advance
So my answer turned out not to to be valid.
I wonder why I get this new login failure?
UPDATE RESOLVED!!:
I resolved this problem by downloading just the wso2 stratos IS 1.5.2 package. I installed it. Configured with same configuration I was using before. Now I can login without problems across domains.