Hello Godwin, For you first point:
I created a user from the IS console in the primary user store. I can see it from the AM console. Then I tried with cUrl to generate a OAuth token for this user and that works: curl -v --basic -u Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa -k -d "grant_type=password&username=toto&password=toto1" https://apim:8243/token 100 216 0 168 100 48 168 48 0:00:01 --:--:-- 0:00:01 > 281{"access_token":"5e2f6f0b-1d98-3a6a-986a-ae29a6a80b75","refresh_token":"00302aab-5e00-3261-a787-bd97529ccc41","scope":"default","token_type":"Bearer","expires_in":3600} > For you second point: I have those messages on the APIM side: Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,568] DEBUG > - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role > Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] DEBUG > - JDBCAuthorizationManager Allowed roles for the ResourceID: > /_system/governance/repository/components/org.wso2.carbon.all-themes/default/images/is-header-bg.png > Action: http://www.wso2.org/projects/registry/actions/get > Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,595] DEBUG > - JDBCAuthorizationManager role: INTERNAL/everyone > Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,596] DEBUG > - JDBCAuthorizationManager role: admin > Jan 18 12:33:22 APIM wso2server.sh[52175]: [2018-01-18 12:33:22,597] DEBUG > - JDBCAuthorizationManager role: SYSTEM/wso2.anonymous.role > Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,129] DEBUG > - JDBCUserStoreManager SELECT * FROM UM_USER WHERE > LOWER(UM_USER_NAME)=LOWER(?) AND UM_TENANT_ID=? > Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,140] DEBUG > - JDBCUserStoreManager User versusmind login attempt. Login success :: false > Jan 18 12:33:23 APIM wso2server.sh[52175]: [2018-01-18 12:33:23,141] DEBUG > - AbstractUserStoreManager Authentication failure. Wrong username or > password is provided. > But none on the IS side. So it is like the AM does not request the IS to be sure that the user is known by the IS. In the api-manager.xml configuration file on the APIM side, I have: <AuthManager> <!-- Server URL of the Authentication service --> <!--ServerURL>https:// ${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}services/</ServerURL--> <ServerURL>https://is:9443/services/</ServerURL> <!-- Admin username for the Authentication manager. --> <Username>admin</Username> <!-- Admin password for the Authentication manager. --> <Password>admin</Password> <!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done via a remote service. The check will be done on the local server when false. --> <CheckPermissionsRemotely>true</CheckPermissionsRemotely> </AuthManager> And <APIKeyValidator> <!-- Server URL of the API key manager --> <!--ServerURL>https:// ${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}services/</ServerURLi--> <ServerURL>https://is:9443/services/</ServerURL> <!-- Admin username for API key manager. --> <Username>${admin.username}</Username> <!-- Admin password for API key manager. --> <Password>${admin.password}</Password> <!-- Configurations related to enable thrift support for key-management related communication. If you want to switch back to Web Service Client, change the value of "KeyValidatorClientType" to "WSClient". In a distributed environment; -If you are at the Gateway node, you need to point "ThriftClientPort" value to the "ThriftServerPort" value given at KeyManager node. -If you need to start two API Manager instances in the same machine, you need to give different ports to "ThriftServerPort" value in two nodes. -ThriftServerHost - Allows to configure a hostname for the thrift server. It uses the carbon hostname by default. -The Gateway uses this parameter to connect to the key validation thrift service. --> <!--KeyValidatorClientType>ThriftClient</KeyValidatorClientType--> <KeyValidatorClientType>WSClient</KeyValidatorClientType> <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut> <!--ThriftClientPort>10397</ThriftClientPort--> <!--EnableThriftServer>true</EnableThriftServer--> <EnableThriftServer>false</EnableThriftServer> <ThriftServerHost>localhost</ThriftServerHost> <!--ThriftServerPort>10397</ThriftServerPort--> <!--ConnectionPool> <MaxIdle>100</MaxIdle> <InitIdleCapacity>50</InitIdleCapacity> </ConnectionPool--> <!-- Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a custom KeyValidation Handler --> <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName> </APIKeyValidator> 2018-01-18 11:30 GMT+01:00 Godwin Shrimal <god...@wso2.com>: > Hi Thomas, > > Ok, That means you have configured secondary user store correctly and its > ready for authentication. When you call the token endpoint of the API > manager, that API calls the API of the IS to create the access token (If > you have properly configured IS as a Keymanager), then authentication > happens on IS and not in the APIM. > > Can you do following and share the result with us > > 1. Check with a user which exists in the primary user store. (Hope you > have shared primary user store between APIM and IS) > > 2. I doubt you have configured the IS as a Keymanager configuration > correctly. Can you add the following line to <IS_HOME>/conf/log4j.properties > and <APIM_HOME>/conf/log4j.properties just after the > "log4j.logger.org.wso2.carbon=INFO". restart the servers. Execute above > curl command and send the wso2carbon.log (located in > <CARBON_HOME>/repository/logs) on both servers? > > log4j.logger.org.wso2.carbon.user.core=DEBUG > > > Thanks > Godwin > > On Thu, Jan 18, 2018 at 3:17 PM, Thomas LEGRAND < > thomas.legr...@versusmind.eu> wrote: > >> Hello everybody, >> >> First, thank you for all of your answers :) >> >> Then, here is a screenshot of the users list in the **IS**, where we can >> see that I have a user (versusmind) stored in a secondary user store (with >> the domain RGPD) : >> >> [image: Images intégrées 1] >> Then, I tried to execute the following cUrl commands but I have the same >> error as before. It is like the APIM cannot "access" to the user in the >> secondary user store of the IS (which seems to be logic because only the >> primary user store is shared between the APIM and the IS) : >> >> curl -v -X POST --basic -u >> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >> \ >> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \ >> -k -d "grant_type=password&username=RGPD/versusmind&password=versusmind" >> \ >> https://40.118.24.155:8243/token >> >> or >> >> curl -v -X POST --basic -u >> Lz6FaylMv5fF5ax4TrTZzlvlEowa:ih0znfMUS6lgqShXSYcDlhEUMqYa >> \ >> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" \ >> -k -d "grant_type=password&username=versusmind&password=versusmind" \ >> https://40.118.24.155:8243/token >> >> Regards, >> >> Thomas >> >> >> 2018-01-18 8:19 GMT+01:00 Godwin Shrimal <god...@wso2.com>: >> >>> Yes, So Thomas's issue should be something different since he has used >>> correct format of a request(Without using user store domain). >>> >>> @Thomas: Can you login to IS Management console and check secondary user >>> store's users are listing under Users & Roles->List-> Users? >>> >>> Thanks >>> Godwin >>> >>> On Thu, Jan 18, 2018 at 2:05 PM, Sathya Bandara <sat...@wso2.com> wrote: >>> >>>> Hi, >>>> >>>> On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal <god...@wso2.com> >>>> wrote: >>>> >>>>> Hi Sathya, >>>>> >>>>> Ideally, user should get authenticated even you send without user >>>>> store domain. right? >>>>> >>>> >>>> Yes. user gets authenticated without the user store domain. If the user >>>> is in super tenant domain(carbon.super), we can discard the tenant domain >>>> as well. >>>> >>>>> >>>>> >>>>> Thanks >>>>> Godwin >>>>> >>>>> >>>>> On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara <sat...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Thomas, >>>>>> >>>>>> Can you try with the following curl command. >>>>>> >>>>>> curl -v -X POST --basic -u <client_id>:<client_secret> -H >>>>>> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d >>>>>> "grant_type=password&username=<userstore_domain>/sathya1@carbon.super&password=admin" >>>>>> https://localhost:8243/token >>>>>> >>>>>> [1] https://docs.wso2.com/display/AM210/Password+Grant >>>>>> >>>>>> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND < >>>>>> thomas.legr...@versusmind.eu> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I configured the Identity Server (IS) to be the Key Manager of the >>>>>>> API Manager (APIM). In the IS, I configured a secondary user store >>>>>>> where I >>>>>>> will have my users of my applications. But, I think I missed something >>>>>>> because when I want to generate a OAuth token for a user stored in this >>>>>>> secondary user store, I have an error: >>>>>>> >>>>>>> My request: >>>>>>> >>>>>>> curl -k -d "grant_type=password&username= >>>>>>> <USR_NAME>&password=<USR_PASSWD>" -H "Authorization: Basic >>>>>>> <BASE64_KEY_SECRET_COUPLE>" https://apim:8243/token >>>>>>> >>>>>>> The response: >>>>>>> >>>>>>> {"error_description":"Authentication failed for >>>>>>> <USR_NAME>@carbon.super","error":"invalid_grant"}. >>>>>>> >>>>>>> In the application in the store of the APIM, "Password" is ticked so >>>>>>> the grant_type is right. >>>>>>> And I tried with the following pattern for the <USR_NAME>: >>>>>>> - <USR_NAME> >>>>>>> - <DOMAIN>/<USR_NAME> >>>>>>> - <DOMAIN>\<USR_NAME> >>>>>>> >>>>>>> Can you help me? How can I ensure that the APIM uses all of the user >>>>>>> stores from the IS. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Thomas >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Sathya Bandara >>>>>> Software Engineer >>>>>> WSO2 Inc. http://wso2.com >>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>> >>>>>> <+94%2071%20411%205032> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Godwin Amila Shrimal* >>>>> Associate Technical Lead >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> mobile: *+94772264165* >>>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>>> twitter: https://twitter.com/godwinamila >>>>> <http://wso2.com/signature> >>>>> >>>> >>>> >>>> >>>> -- >>>> Sathya Bandara >>>> Software Engineer >>>> WSO2 Inc. http://wso2.com >>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>> >>>> <+94%2071%20411%205032> >>>> >>> >>> >>> >>> -- >>> *Godwin Amila Shrimal* >>> Associate Technical Lead >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> mobile: *+94772264165* >>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>> twitter: https://twitter.com/godwinamila >>> <http://wso2.com/signature> >>> >> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Godwin Amila Shrimal* > Associate Technical Lead > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > mobile: *+94772264165* > linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ > <https://www.linkedin.com/in/godwin-amila-2ba26844/>* > twitter: https://twitter.com/godwinamila > <http://wso2.com/signature> >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
