Hi Bhathiya, SAML2 bearer token generation for tenant user was successful when sending domain query parameter in token endpoint. Furthermore It fixed issue [1] occurred when invoking an API using the generated access token.
Furthermore I could overcome getting an 'access forbidden' when invoking an api using a token generated using OAuth2 custom grant type by adding the scope in the curl command. Below I have shared steps how I tested OAuth2 custom grant type in API manager - IS as key manager setup. *Test Steps* 1. Configure IS by following documentation [2]. 2. Create an application in API store and generate production keys. (SP relevant to the application will get created in IS) 3. Use below curl command and generate an access token. (Make sure that we specify the scope accurately) *Curl command* curl --user 97XddkX6TBOtSRUoaMB0MStxo8oa:jVYekhO2oEbRUjxYfuHA4_rIfpka -k -d "grant_type=mobile&mobileNumber=0333444&scope=PRODUCTION" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token [1]. https://wso2.org/jira/browse/APIMANAGER-4930 [2]. https://docs.wso2.com/display/IS510/Writing+a+Custom+OAuth+2.0+Grant+Type Sewmini Jayaweera *Software Engineer - QA Team* Mobile: +94 (0) 773 381 250 sewm...@wso2.com On Thu, Jun 2, 2016 at 7:29 PM, Bhathiya Jayasekara <bhath...@wso2.com> wrote: > Hi Sewmini, > > Could you please confirm your observations after using tenantDomain only > with samlsso URL (for tenants)? > > Thanks, > Bhathiya > > On Thu, Jun 2, 2016 at 10:16 AM, Nuwan Dias <nuw...@wso2.com> wrote: > >> Ok thanks, if there is no API change we don't have to worry. >> >> Thanks, >> NuwanD. >> >> On Thu, Jun 2, 2016 at 10:10 AM, Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> Hi Nuwan, >>> >>> For SAML2 SSO this is how it has been all this time. Because we can't >>> guarantee the issuer will be unique across tenants unlike the client id in >>> oauth2, which is a UUID. >>> >>> In IS even for OAuth2 we were sending the tenantDomain to token endpoint >>> for all the grant types. However later found that in APIM it has been >>> working without sending it due to a different reason, and that is why we >>> did a fix to make tenant domain optional to token endpoint. >>> >>> I don't think in SAML2 SSO we can change it that way. >>> >>> Johann. >>> >>> On Thu, Jun 2, 2016 at 9:40 AM, Nuwan Dias <nuw...@wso2.com> wrote: >>> >>>> So for tenant users, the samlsso url has changed (requires tenantDomain >>>> query param)? Does this mean that for tenant users who are migrating to the >>>> new version, they have to change their Application's SSO handling code? >>>> >>>> Thanks, >>>> NuwanD. >>>> >>>> On Thu, Jun 2, 2016 at 8:48 AM, Farasath Ahamed <farasa...@wso2.com> >>>> wrote: >>>> >>>>> Hi Chamara, >>>>> >>>>> Sorry, I missed out some details. I tested the SAML Bearer Grant with >>>>> an Identity Server 5.3.0 M1 pack. I had to change the samlsso URL to >>>>> *https://localhost:9443/samlsso?tenantDomain=wso2.com >>>>> <https://localhost:9443/samlsso?tenantDomain=wso2.com> *to log in as >>>>> a user in the tenant domain in the travelocity App. Thereafter the SAML2 >>>>> Bearer grant was sent to https://localhost:9443/oauth2/token >>>>> <https://localhost:9443/oauth2/token?tenantDomain=> endpoint without >>>>> passing the tenantDomain as a query param in the URL. >>>>> >>>>> The fix [1] was done after Identity Server 5.2.0-beta so if we are >>>>> testing with a 5.2.0-beta or earlier IS pack we would have to send in the >>>>> tenantDomain as a query param (ie. >>>>> https://localhost:9443/oauth2/token?tenantDomain=<tenantDomain>) to >>>>> the token endpoint for SPs in a tenantDomain as Pushpalanka has pointed >>>>> out earlier .Otherwise, it will be taken as cabon.super. >>>>> >>>>> >>>>> [1] https://wso2.org/jira/browse/IDENTITY-4531 >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Farasath Ahamed >>>>> Software Engineer, >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> >>>>> Email: farasa...@wso2.com >>>>> Mobile: +94777603866 >>>>> Blog: blog.farazath.com >>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>> >>>>> On Thu, Jun 2, 2016 at 7:43 AM, Chamara Ariyarathne <chama...@wso2.com >>>>> > wrote: >>>>> >>>>>> Hi Farsath, Some unclear points. >>>>>> >>>>>> On Thu, Jun 2, 2016 at 2:47 AM, Farasath Ahamed <farasa...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I tested the SAML2 bearer grant with travelocity app for a tenant >>>>>>> user and I was able to get an access token with any issue. >>>>>>> >>>>>> "with" or "without"? >>>>>> >>>>>> >>>>>>> I had to change the samlsso URL to >>>>>>> *https://localhost:9443/samlsso?tenantDomain=wso2.com >>>>>>> <https://localhost:9443/samlsso?tenantDomain=wso2.com> *to get the >>>>>>> sample working for a tenant user. >>>>>>> >>>>>> So, is it still needed? >>>>>> >>>>>> >>>>>>> However, I was able to generate the token without sending the >>>>>>> tenantDomain as a query param. >>>>>>> >>>>>> For which grant type? Are you still talking about the saml2-bearer >>>>>> grant type? >>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> Farasath >>>>>>> >>>>>>> >>>>>>> Farasath Ahamed >>>>>>> Software Engineer, >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> >>>>>>> Email: farasa...@wso2.com >>>>>>> Mobile: +94777603866 >>>>>>> Blog: blog.farazath.com >>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>> >>>>>>> On Thu, Jun 2, 2016 at 2:22 AM, Farasath Ahamed <farasa...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> We have removed the requirement to send in the tenantDomain with >>>>>>>> the token request as a query param in [1]. Instead of relying on the >>>>>>>> query >>>>>>>> param we now retrieve the tenantDomain using the client_id sent in the >>>>>>>> request. Therefore, this should work for all grant types. Anyways will >>>>>>>> check once again with the SAML2 Bearer grant. >>>>>>>> >>>>>>>> >>>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-4531 >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> Farasath Ahamed >>>>>>>> Software Engineer, >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> >>>>>>>> Email: farasa...@wso2.com >>>>>>>> Mobile: +94777603866 >>>>>>>> Blog: blog.farazath.com >>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>> >>>>>>>> On Thu, Jun 2, 2016 at 1:25 AM, Tania Mahanama <ta...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Jun 1, 2016 at 9:56 PM, Sewmini Jayaweera < >>>>>>>>> sewm...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Pushpalanka, >>>>>>>>>> >>>>>>>>>> Thank you for your prompt response. >>>>>>>>>> I could generate token successfully with the suggested endpoint. >>>>>>>>>> >>>>>>>>>> @Tania: Could you please update documentation [1] with this >>>>>>>>>> information? I have created documentation Jira [2]. >>>>>>>>>> >>>>>>>>> >>>>>>>>> Noted. >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> [1]. >>>>>>>>>> https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type >>>>>>>>>> [2]. https://wso2.org/jira/browse/DOCUMENTATION-3414 >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Sewmini. >>>>>>>>>> >>>>>>>>>> Sewmini Jayaweera >>>>>>>>>> *Software Engineer - QA Team* >>>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>>> sewm...@wso2.com >>>>>>>>>> >>>>>>>>>> On Wed, Jun 1, 2016 at 8:42 PM, Pushpalanka Jayawardhana < >>>>>>>>>> la...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Sewmini, >>>>>>>>>>> >>>>>>>>>>> Please try sending the tenantDomain as a query param in the cURL >>>>>>>>>>> command's token endpoint as below. >>>>>>>>>>> >>>>>>>>>>> https://localhost:9443/oauth2/token?tenantDomain=<tenantDomain> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> On Wed, Jun 1, 2016 at 8:15 PM, Sewmini Jayaweera < >>>>>>>>>>> sewm...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Adding dev@wso2.org >>>>>>>>>>>> >>>>>>>>>>>> Sewmini Jayaweera >>>>>>>>>>>> *Software Engineer - QA Team* >>>>>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>>>>> sewm...@wso2.com >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Jun 1, 2016 at 8:13 PM, Sewmini Jayaweera < >>>>>>>>>>>> sewm...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi APIM / IS teams, >>>>>>>>>>>>> >>>>>>>>>>>>> I am testing 'Exchanging SAML2 Bearer Tokens with OAuth2' >>>>>>>>>>>>> (SAML Extension Grant Type) scenario for tenant user. I followed >>>>>>>>>>>>> API >>>>>>>>>>>>> manager documentation available [1] and scenario worked fine for >>>>>>>>>>>>> the super >>>>>>>>>>>>> tenant. When I try the tenant scenario I noticed when service >>>>>>>>>>>>> provider and >>>>>>>>>>>>> IDP created in IS tenant domain token generation fails. Reason is >>>>>>>>>>>>> that even >>>>>>>>>>>>> though SP is in the tenant domain system expects IDP in >>>>>>>>>>>>> carbon.super >>>>>>>>>>>>> tenant. >>>>>>>>>>>>> >>>>>>>>>>>>> Are there any specific configurations which should be done, in >>>>>>>>>>>>> order to get the tenant scenario working ? >>>>>>>>>>>>> >>>>>>>>>>>>> I have also reported a Jira [2] on this explaining full >>>>>>>>>>>>> scenario. >>>>>>>>>>>>> >>>>>>>>>>>>> [2]. https://wso2.org/jira/browse/APIMANAGER-4929 >>>>>>>>>>>>> [1]. >>>>>>>>>>>>> https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type >>>>>>>>>>>>> >>>>>>>>>>>>> Kind Regards, >>>>>>>>>>>>> Sewmini. >>>>>>>>>>>>> >>>>>>>>>>>>> Sewmini Jayaweera >>>>>>>>>>>>> *Software Engineer - QA Team* >>>>>>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>>>>>> sewm...@wso2.com >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Pushpalanka. >>>>>>>>>>> -- >>>>>>>>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>>>>>>>>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>>>>>>>>>> Mobile: +94779716248 >>>>>>>>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >>>>>>>>>>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Tania Mahanama >>>>>>>>> Senior Technical Writer >>>>>>>>> >>>>>>>>> Contact: >>>>>>>>> Mob: +94 077 5129270 >>>>>>>>> >>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "WSO2 Documentation Group" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to documentation+unsubscr...@wso2.com. >>>>>>>>> For more options, visit >>>>>>>>> https://groups.google.com/a/wso2.com/d/optout. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Chamara Ariyarathne* >>>>>> Associate Technical Lead - QA >>>>>> WSO2 Inc; http://www.wso2.com/ >>>>>> Mobile; *+94772786766 <%2B94772786766>* >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Technical Lead - WSO2, Inc. http://wso2.com >>>> email : nuw...@wso2.com >>>> Phone : +94 777 775 729 >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >> >> >> >> -- >> Nuwan Dias >> >> Technical Lead - WSO2, Inc. http://wso2.com >> email : nuw...@wso2.com >> Phone : +94 777 775 729 >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Bhathiya Jayasekara* > *Senior Software Engineer,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <%2B94715478185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
