WSO2 Identity Server UserAdmin SOAP interface - wso2

I'd like to know if it is possible to retrieve the user claims via the UserAdmin SOAP interface? I have found when adding a user it is possible to specify user claims. Also i have noticed that get list of user by Claims is possible but I have not found how to retrieve all the claims of a user.
Any hint?
Thanks in advance.

You can try "RemoteUserStoreManagerService" for your purpose.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserClaimValues>
<ser:userName>admin</ser:userName>
</ser:getUserClaimValues>
</soapenv:Body>
</soapenv:Envelope>
Above request will return you the claims of admin user of its default profile.
EDIT
As per the comment you need the WSDL of new admin service.
By default WSDLs of admin services are hidden. To change that behavior open <IS_HOME>/repository/conf/carbon.xml then locate HideAdminServiceWSDLs tag and set it to false.
Then you can view WSDL of any admin service from the url
https://localhost:9443/services/<SERVICE_NAME>?wsdl
In this case
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
HTH,
DarRay,

Related

In WSO2 IS 5.9.0 how to configure Password Policies And Login Policies with help of an API?

I need to find the REST/SOAP API for Password Policies (Password History and Password Pattern) and Login Policies (Account Locking and Account Disabling).
I am using WSO2 IS 5.9.0.
I am creating a Multi-tenant environment from WSO2. I am able to perform all the steps from code but not able to find API for these two settings.
I have to manually do this but this is just a workaround and need to figure out the WSO2 APIs for these.
Need curl request or documentation for these 2 settings API.
From WSO2 IS 5.10.0 onwards there is a rest API to update these configurations.
However, in 5.9.0 and before that, only SOAP APIs are available. You can use https://localhost:9443/services/IdentityGovernanceAdminService SOAP service for this purpose. There are 2 operations available in this service. getConnectorList and updateConfigurations.
You can use getConnectorList to find the available connectors and their property names. Then you can use updateConfigurations operation to update property value. Message body would look like below to update Password History validation count configuration.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gov="http://governance.identity.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<gov:updateConfigurations>
<gov:configurations>
<xsd:name>passwordHistory.count</xsd:name>
<xsd:value>6</xsd:value>
</gov:configurations>
</gov:updateConfigurations>
</soapenv:Body>
</soapenv:Envelope>

WSO2: web service changePasswordByUser error

I've install a WSO2 API-M 1.10.0 and try to update the password of a user.
Steps:
Create a user in the tenant "carbon.super" and assign the user admin role at the same time.(success)
Using the credential of the user to change his password via web
service UserAdminService changePasswordByUser.(fail)
The request is:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://org.apache.axis2/xsd">
<soap:Header/>
<soap:Body>
<xsd:changePasswordByUser>
<!--Optional:-->
<xsd:userName>?</xsd:userName>
<!--Optional:-->
<xsd:oldPassword>?</xsd:oldPassword>
<!--Optional:-->
<xsd:newPassword>?</xsd:newPassword>
</xsd:changePasswordByUser>
</soap:Body>
</soap:Envelope>
And the error message is :
Error while updating password. Wrong old credential provided
I'm sure that the two passwords are correct and the credential is base64 encoded(account:oldPassword).Am I try to encode the passwords into something??
Thanks
Tom
I verified this scenario and it is working fine in both APIM 1.10.0 and 2.0.0. If you get that error that means the password has already been changed and your are trying to change it for the second time. Please try to login to the management console using the new password and make sure it has been changed.

WSO2 - Check if an access token is still valid

I am implementing an OAuth 2 token flow using the password grant_type as per the WSO2 docs here
I have this working for logging in users in the web application I am working on currently, and am storing the retrieved access token in local storage.
If I wanted to check the token is still valid (say the user refreshes the browser), is there a request I can make to check access token is still valid and hasn't expired? I assume it would be some form of POST request to the token end point URL?
Thanks
To validate the token, there is a admin service which you can use.It's a SOAP service and calling "validate" method in admin service can used to validate the token.
Validation Endpoint
https://localhost:9443/services/OAuth2TokenValidationService/
Validate method will respond back to you with validity period. This service is an admin service which you can invoke through basic authentication and other authentication mechanisms such as mutual authentication.
I believe another approach is to call the token endpoint for new token. AFAIR if valid token exist, it's return it with the expiry time which you can calculate the validity period.
Another way is that, if possible you can store the token requested time and have a separate timer to check whether the validity time expired. At the very first time the token generation request make, it's return token with validity period.
As harsha89 mentioned you can use the OAuth2TokenValidationService to validate. Sample SOAP request will be like as follows
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth2.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:validate>
<xsd:validationReqDTO>
<xsd1:accessToken>
<xsd1:identifier>b443652fdc3642bb1b3ba8ebae99068</xsd1:identifier><!--access token received-->
<xsd1:tokenType>bearer</xsd1:tokenType>
</xsd1:accessToken>
<xsd1:context>
<xsd1:key></xsd1:key>
<xsd1:value></xsd1:value>
</xsd1:context>
</xsd:validationReqDTO>
</xsd:validate>
</soapenv:Body>
</soapenv:Envelope>
Sample response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:validateResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:type="ax2369:OAuth2TokenValidationResponseDTO" xmlns:ax2369="http://dto.oauth2.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2369:authorizationContextToken xsi:type="ax2369:OAuth2TokenValidationResponseDTO_AuthorizationContextToken">
<ax2369:tokenString>eyJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXpabFlqTTJaRFJoTlRabFlUQTFZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQSJ9.eyJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvYXBwbGljYXRpb25uYW1lIjoiRGVmYXVsdEFwcGxpY2F0aW9uIiwiZXhwIjoxNDQ2Nzg1NjczLCJzdWIiOiJhZG1pbjJAY2FyYm9uLnN1cGVyIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL3N1YnNjcmliZXIiOiJhZG1pbiIsImlzcyI6Imh0dHA6XC9cL3dzbzIub3JnXC9nYXRld2F5IiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL2VuZHVzZXIiOiJhZG1pbjJAY2FyYm9uLnN1cGVyIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvcm9sZSI6WyJJbnRlcm5hbFwvZXZlcnlvbmUiXSwiaWF0IjoxNDQ2NzgzMjExfQ.VY2J_stNVvCwdGdOn71yw96z0EnbtRabQBt8fDFO5LM4TyNmF56T4uXLGjPW-BaHFKEa21ao0s8zW3UVp3yh2Va5pJhJdEcNeSMHObVvDJBdrDbOqrFZnVG7hxV4n4yIJfWt3jciRQz-SdqVYKJuRF-Tn8qfX30m1s0cMeqEZ2A</ax2369:tokenString>
<ax2369:tokenType>JWT</ax2369:tokenType>
</ax2369:authorizationContextToken>
<ax2369:authorizedUser>admin2#carbon.super</ax2369:authorizedUser>
<ax2369:errorMsg xsi:nil="true"/>
<ax2369:expiryTime>1737</ax2369:expiryTime>
<ax2369:scope/>
<ax2369:valid>true</ax2369:valid>
</ns:return>
</ns:validateResponse>
</soapenv:Body>
</soapenv:Envelope>

How to set role permissions in WSO2 using admin webservices (setRoleUIPermission)

I have found the WSO2 carbon admin service that can be used to add role permissions using admin webservices (setRoleUIPermission). Based on the WSDL I have no clue how it should be used.
This is the request SoapUI generates:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:mgt="http://mgt.user.carbon.wso2.org">
<soap:Header/>
<soap:Body>
<mgt:setRoleUIPermission>
<!--Optional:-->
<mgt:roleName>?</mgt:roleName>
<!--Zero or more repetitions:-->
<mgt:rawResources>?</mgt:rawResources>
</mgt:setRoleUIPermission>
</soap:Body>
</soap:Envelope>
How should rawResource be used?
Regards, nidkil
First i guess, it is great, if you can try out the method "getRolePermissions" in the API. This method returns all UI permission (management console related permissions) mentioning that whether role contains permission or not. Then you can see each permission has been identified by a resource value such as "/permission/admin/manage/modify/webapp". Therefore echo permission check box that is show under role permission UI, has some hidden String value. That is value that you need to pass as "rawResources" in this method. Ex if you want to give "login" permission to role "test". You need to pass like that.
AFAIK, these permissions that are return and can be set... is management console permissions that can be used in Carbon Admin services and in UI
<xsd:roleName>test</xsd:roleName>
<xsd:rawResources>/permission/admin/login</xsd:rawResources>

WSO2 get user by claim value

I need to know how to get wso2 users by claim value, to perform some kind of search?
example:
getUsersByClaimValue(String claimUri, String claimValue);
Yes.This API method has been introduced to user store API to get user names associated with particular user's attribute. say you want to get users whose "country" attribute value is "USA". then you can use this method as follows.
getUserList("http://wso2.org/claims/country", "USA", null);
You can find this method as web service API in RemoteUserStoreManagerService of WSO2IS. Your SOAP message would look likes follows.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserList>
<ser:claimUri>http://wso2.org/claims/country</ser:claimUri>
<ser:claimValue>USA</ser:claimValue>
<ser:profile></ser:profile>
</ser:getUserList>
</soapenv:Body>
</soapenv:Envelope>
Here, this claim uri is generic one which is independent of the user store. With WSO2 Identity server you can map these claim uri in to any attribute in your user store. More details from here