Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[APIM-4.3.0][ISKM-6.1.0] [Backend JWT] User Claims Retrieval is not working in the IS KM deployment. #3075

Open
cbabey opened this issue Aug 21, 2024 · 0 comments
Open

[APIM-4.3.0][ISKM-6.1.0] [Backend JWT] User Claims Retrieval is not working in the IS KM deployment. #3075

cbabey opened this issue Aug 21, 2024 · 0 comments
Labels
Affected/APIM-4.3.0 Type/Bug

Comments

@cbabey
Copy link

cbabey commented Aug 21, 2024
edited
Loading

Description

If we configure the Identity Server (IS) as a Key Manager by sharing databases or within our resident Key Manager, the user info endpoint is set by default to /keymanager-operations/user-info. This configuration works correctly in the resident Key Manager scenario. However, when using IS as a Key Manager with a shared database (ISKM) or when configuring IS as a third-party Key Manager, the internal user info call fails with a 500 error response.

The exception occurred on the APIM side.

[2024-08-16 13:20:51,933] ERROR - JWTValidator Error while retrieving User claims from Key Manager 
org.wso2.carbon.apimgt.api.APIManagementException: Error while getting user info
	at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException_aroundBody12(AbstractKeyManager.java:274) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
	at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException(AbstractKeyManager.java:1) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
	at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.getUserClaims_aroundBody82(AMDefaultKeyManagerImpl.java:1273) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
	at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.getUserClaims(AMDefaultKeyManagerImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.getUserClaimsFromKeyManager_aroundBody50(JWTValidator.java:878) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.getUserClaimsFromKeyManager(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.includeUserStoreClaimsIntoClaims_aroundBody12(JWTValidator.java:429) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.includeUserStoreClaimsIntoClaims(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.generateAndRetrieveJWTToken_aroundBody10(JWTValidator.java:404) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.generateAndRetrieveJWTToken(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.authenticate_aroundBody0(JWTValidator.java:310) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.authenticate(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate_aroundBody4(OAuthAuthenticator.java:310) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody64(APIAuthenticationHandler.java:591) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody54(APIAuthenticationHandler.java:459) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
	at org.apache.synapse.api.API.process(API.java:407) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
	at org.apache.synapse.api.AbstractApiHandler.apiProcessNonDefaultStrategy(AbstractApiHandler.java:109) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
	at org.apache.synapse.api.AbstractApiHandler.identifyAPI(AbstractApiHandler.java:129) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
	at org.apache.synapse.api.AbstractApiHandler.dispatchToAPI(AbstractApiHandler.java:61) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
	at org.apache.synapse.api.rest.RestRequestHandler.dispatchToAPI(RestRequestHandler.java:90) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
	at org.apache.synapse.api.rest.RestRequestHandler.process(RestRequestHandler.java:76) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
	at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:54) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
	at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:350) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
	at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:101) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
	at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) ~[axis2_1.6.1.wso2v76.jar:?]
	at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:401) ~[synapse-nhttp-transport_4.0.0.wso2v105_2.jar:?]
	at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:215) ~[synapse-nhttp-transport_4.0.0.wso2v105_2.jar:?]
	at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) ~[axis2_1.6.1.wso2v76.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
	at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: org.wso2.carbon.apimgt.impl.kmclient.KeyManagerClientException: Received status code: 500 Reason: 
	at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode_aroundBody0(KMClientErrorDecoder.java:45) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
	at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode(KMClientErrorDecoder.java:1) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
	at feign.InvocationContext.decodeError(InvocationContext.java:126) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.InvocationContext.proceed(InvocationContext.java:72) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.ResponseHandler.handleResponse(ResponseHandler.java:63) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:114) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:70) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:99) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at com.sun.proxy.$Proxy451.generateClaims(Unknown Source) ~[?:?]
	at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.getUserClaims_aroundBody82(AMDefaultKeyManagerImpl.java:1266) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
	... 31 more

The exception occurred on the IS side.

[2024-08-16 13:20:51,914] [7ddf4587-80cd-4dd4-b774-1de7777a44c6] ERROR {org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/keymanager-operations].[CXFServlet]} - Servlet.service() for servlet [CXFServlet] in context with path [/keymanager-operations] threw exception org.apache.cxf.interceptor.Fault: 'org.wso2.carbon.identity.oauth.tokenprocessor.TokenProvider org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder.getTokenProvider()'
	at org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:162)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:128)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:555)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:279)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119)
	at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115)
	at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38)
	at org.wso2.carbon.identity.cors.valve.CORSValve.invoke(CORSValve.java:83)
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:154)
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:142)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:114)
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:75)
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63)
	at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
	at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.NoSuchMethodError: 'org.wso2.carbon.identity.oauth.tokenprocessor.TokenProvider org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder.getTokenProvider()'
	at org.wso2.is.key.manager.operations.endpoint.impl.UserInfoApiServiceImpl.userInfoClaimsGeneratePost(UserInfoApiServiceImpl.java:123)
	at org.wso2.is.key.manager.operations.endpoint.UserInfoApi.userInfoClaimsGeneratePost(UserInfoApi.java:49)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
	... 56 more

Steps to Reproduce

  1. Configure the IS as Key-Manager
  2. add the following configuration in the deployment.toml

[apim.jwt]
enable = true
gateway_generator.enable_claim_retrieval = true

Affected Component

APIM

Version

4.3.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response
@cbabey cbabey changed the title [APIM-4.3.0][ISKM-6.1.0] User Claims Retrieval is not working in the IS KM deployment. [APIM-4.3.0][ISKM-6.1.0] [Backend JWT] User Claims Retrieval is not working in the IS KM deployment. Aug 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Affected/APIM-4.3.0 Type/Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cbabey