I was trying to install ws02 API manger and this error appeared but I do not know how to fix it or what that means, can someone tell me what I did wrong. Thanks in advance.
When starting API Manager, it will add an admin user to the configured data store. As per the error logs, there is already an admin user which exists in the data store. Thus, Remove that admin user and restart the server. If you want that previously created admin user together with this new admin user then perform the below-mentioned configurations in APIM_HOME/repository/conf/deployment.toml. Here you are changing the default admin username to a new username as admin is already existing in the DB.
[super_admin]
username = "admin_new"
password = "admin_new"
create_admin_account = true
Related
I am trying to hit a post request to https://login.microsoftonline.com/<My_Tenant_Id>/oauth2/token from my Java Code, but I am getting the error "invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password". I have verified the credentials and they are correct (I am able to login to Azure portal and see my AWS APP for SSO). I even tried hitting the same request from postman, but then also same issue.
The parameters I have passed are:
"grant_type", "password"
"requested_token_type","urn:ietf:params:oauth:token-type:saml2"
"username", username
"password", password
"client_secret", clientSecret
"client_id", clientId
"resource", clientId
I have even checked various Microsoft Documentations but I am still not able to resolve the issue.
Can anybody tell what might be the issue. is the API call wrong or the server setup is wrong.
Please note: Initially my API call was working, but then I got an error invalid_request: AADSTS80014 then it automatically got resolved and I started getting invalid_grant: AADSTS50126. Has anybody faced this issue or knows how to fix this. Thanks!
I am able to resolve this by creating a cloud only user. The reason a federated user fails with the Resource Owner Password Grant flow is because for a federated user Azure AD has to redirect the user to the specific federation Server that belongs to the user's on-prem domain so that the ADFS server can get the auth down with the local domain controller. In Resource Owner Password grant flow this redirect is not possible hence it is not able to validate the username and password and hence that error.
As a suggestion, we can create a new cloud only user whose username and password should reside in Azure AD, so that when using Resource Owner password Grant flow we submit the user's credentials, AAD can authenticate the user without any redirections.
This user can be a normal user in AAD and the respective delegated permissions should be present in the app registration. Now one more thing to make sure is, if the delegated permission that we are providing needs admin consent then before the user logs in to the application, the admin has to provide the admin consent to this delegated permission. If we want to the user to provide his/her own consent (if the delegated permission needs user consent) then we would have to somehow provide the user consent before going ahead with the Resource Owner Password Grant Flow.
I use an npa#****.onmicrosoft.com like azure AD account to send emails on my Java application.
However, it seems that if the password of the account is not changed periodically, an email authentication error will occur.
How can I work around this issue without having to periodically update the password on my Java application?
You are facing this issue due to the password expiry policy.
You can Set an individual user's password to never expire. You can follow the Microsoft Document which helps you in fixing the issue.
I have implemented a custom Keycloak UserStorageProvider SPI (following point 11 of official Doc: https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi) which does following:
Authenticate users (not previously existing on the local store) against an
external auth service.
Save the (successfully authenticated against our custom service) user into
the Keycloak local store.
After the users have been imported on keycloak's local store (after users
successfully loged themselves in), the admins are then able to map roles
to those users for resource authorization from keycloak's admin console.
The problem I'm running into is following: Step 1 and 2 work perfectly. And regarding step 3, I can log myself successfully with a user that was saved on the keycloak's local store (after finding it on the external UserProvider), BUT (an here lies the crux of the problem); as soon as I add any role to that imported user, then I can't log myself anymore into that account and the logs show that my custom UserStorageProvider isn't being used anymore from that point onwards when login for that user. Somehow attaching a role to that user makes him invisible to my custom UserStorageProvider (even if I delete the role/(s) again).
In the best case scenario I'm trying to achieve, I'd be able to "log in" with the user (saved locally after authenticated form external SPI), even after assigning roles to him.
Any feedback would be greatly appreciated!!
Thanks in advance for your suggestions.
In the case somebody has this problem in the future, when you implement a provider SPI, you have 2 options as the doc mentions. Federated Store and importing users to the local Keycloak store. If you go with the importing/synching strategy, it is necessary to set federation link to the provider like this:
<UserModel instance>.setFederationLink(<ComponentModel id>);
If you don't do this, then Keycloak can't "remember" that those imported users should be handled by your provider SPI, and in general you won't have the expected behaviour out of your custom Provider SPI.
I have an application that connects to integrity through the java mks api. To test the application functionalities I hardcoded the user and the password for my computer, but now after testing I want to make the app generic so more users can use it.
Normally, each user has a user (this information I can get it from ENV) and a password configured in the Integrity interface. Is there a possibility to tell the mksapi to get the password from those preferences?
There is no option to get the password from Client preferences.
You don't need to have the password if the connection already exist and you are using localintegration.
e.g.
si projects --hostname={SI_HOST} --port={SI_PORT} --user={USERNAME}
The previous command will work without password if there is an active connection for the provided info: {USERNAME}#{SI_HOST}:{SI_PORT}
Another option is to use a user with impersonate permission.
if you cannot use any of this option, the only way is to prompt the user for a password.
I have a WSO2 Identiy server installed and i have written some java code to get user information with oauth 2. For this I am using OLTU. I have connected correctly and after negotiating the access_code, I ask for the userinfo endpoint like this:
https://<serverIP>:9443/oauth2/userinfo?schema=openid
I get user info correctly in JSON format:
{"email":"xxxx#xxx.aa","name":"xxx","family_name":"xx","preferred_username":"xxx","given_name":"xx"}
What I find is that no role information is returned. I have created some custom roles and asigned the users. They don't have any permisions asigned.
Do I have to configure anything in the server? The request has to be made in any other way? What am I doing wrong?
There are two ways to add this claim mapping. It's depends on your requirement.
To get this done has to add a role claim mapping under "http://wso2.org/oidc/claim" claim dialect. This can be done in following ways
Case 1 : For fresh WSO2IS before first startup
Go to <IS_HOME>/repository/conf/claim-config.xml file<br/>
Add following configuration under <Dialect dialectURI="http://wso2.org/oidc/claim"><br/>
<Claim>
<ClaimURI>Roles</ClaimURI>
<DisplayName>Roles</DisplayName>
<AttributeID>role</AttributeID>
<Description>role of the user</Description>
<DisplayOrder>10</DisplayOrder>
<SupportedByDefault />
</Claim>
Case 2: For already running server.
Login to the Identity server management console as admin user.
Click the Configure button to access the Configure menu
Click on http://wso2.org/oidc/claim Dialect.
Click on "Add New Claim Mapping" and set the above details.
(There you will get an error which is known issues. But that value will store. Then again edit it and set Mapped Attribute again)
Then restart the server. Now you can get user info with roles