You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If we configure the Identity Server (IS) as a Key Manager by sharing databases or within our resident Key Manager, the user info endpoint is set by default to /keymanager-operations/user-info. This configuration works correctly in the resident Key Manager scenario. However, when using IS as a Key Manager with a shared database (ISKM) or when configuring IS as a third-party Key Manager, the internal user info call fails with a 500 error response.
The exception occurred on the APIM side.
[2024-08-16 13:20:51,933] ERROR - JWTValidator Error while retrieving User claims from Key Manager
org.wso2.carbon.apimgt.api.APIManagementException: Error while getting user info
at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException_aroundBody12(AbstractKeyManager.java:274) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException(AbstractKeyManager.java:1) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.getUserClaims_aroundBody82(AMDefaultKeyManagerImpl.java:1273) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.getUserClaims(AMDefaultKeyManagerImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.getUserClaimsFromKeyManager_aroundBody50(JWTValidator.java:878) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.getUserClaimsFromKeyManager(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.includeUserStoreClaimsIntoClaims_aroundBody12(JWTValidator.java:429) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.includeUserStoreClaimsIntoClaims(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.generateAndRetrieveJWTToken_aroundBody10(JWTValidator.java:404) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.generateAndRetrieveJWTToken(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.authenticate_aroundBody0(JWTValidator.java:310) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.authenticate(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate_aroundBody4(OAuthAuthenticator.java:310) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody64(APIAuthenticationHandler.java:591) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody54(APIAuthenticationHandler.java:459) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:1) ~[org.wso2.carbon.apimgt.gateway_9.29.120.45.jar:?]
at org.apache.synapse.api.API.process(API.java:407) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
at org.apache.synapse.api.AbstractApiHandler.apiProcessNonDefaultStrategy(AbstractApiHandler.java:109) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
at org.apache.synapse.api.AbstractApiHandler.identifyAPI(AbstractApiHandler.java:129) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
at org.apache.synapse.api.AbstractApiHandler.dispatchToAPI(AbstractApiHandler.java:61) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
at org.apache.synapse.api.rest.RestRequestHandler.dispatchToAPI(RestRequestHandler.java:90) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
at org.apache.synapse.api.rest.RestRequestHandler.process(RestRequestHandler.java:76) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:54) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:350) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:101) ~[synapse-core_4.0.0.wso2v105_1.jar:4.0.0-wso2v105.1]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) ~[axis2_1.6.1.wso2v76.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:401) ~[synapse-nhttp-transport_4.0.0.wso2v105_2.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:215) ~[synapse-nhttp-transport_4.0.0.wso2v105_2.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) ~[axis2_1.6.1.wso2v76.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: org.wso2.carbon.apimgt.impl.kmclient.KeyManagerClientException: Received status code: 500 Reason:
at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode_aroundBody0(KMClientErrorDecoder.java:45) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode(KMClientErrorDecoder.java:1) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
at feign.InvocationContext.decodeError(InvocationContext.java:126) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
at feign.InvocationContext.proceed(InvocationContext.java:72) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
at feign.ResponseHandler.handleResponse(ResponseHandler.java:63) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:114) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:70) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:99) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
at com.sun.proxy.$Proxy451.generateClaims(Unknown Source) ~[?:?]
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.getUserClaims_aroundBody82(AMDefaultKeyManagerImpl.java:1266) ~[org.wso2.carbon.apimgt.impl_9.29.120.43.jar:?]
... 31 more
The exception occurred on the IS side.
[2024-08-16 13:20:51,914] [7ddf4587-80cd-4dd4-b774-1de7777a44c6] ERROR {org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/keymanager-operations].[CXFServlet]} - Servlet.service() for servlet [CXFServlet] in context with path [/keymanager-operations] threw exception org.apache.cxf.interceptor.Fault: 'org.wso2.carbon.identity.oauth.tokenprocessor.TokenProvider org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder.getTokenProvider()'
at org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:162)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:128)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:555)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:279)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119)
at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115)
at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38)
at org.wso2.carbon.identity.cors.valve.CORSValve.invoke(CORSValve.java:83)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:154)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:142)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:114)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:75)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63)
at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.NoSuchMethodError: 'org.wso2.carbon.identity.oauth.tokenprocessor.TokenProvider org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder.getTokenProvider()'
at org.wso2.is.key.manager.operations.endpoint.impl.UserInfoApiServiceImpl.userInfoClaimsGeneratePost(UserInfoApiServiceImpl.java:123)
at org.wso2.is.key.manager.operations.endpoint.UserInfoApi.userInfoClaimsGeneratePost(UserInfoApi.java:49)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
... 56 more
Steps to Reproduce
Configure the IS as Key-Manager
add the following configuration in the deployment.toml
cbabey
changed the title
[APIM-4.3.0][ISKM-6.1.0] User Claims Retrieval is not working in the IS KM deployment.
[APIM-4.3.0][ISKM-6.1.0] [Backend JWT] User Claims Retrieval is not working in the IS KM deployment.
Aug 21, 2024
Description
If we configure the Identity Server (IS) as a Key Manager by sharing databases or within our resident Key Manager, the user info endpoint is set by default to /keymanager-operations/user-info. This configuration works correctly in the resident Key Manager scenario. However, when using IS as a Key Manager with a shared database (ISKM) or when configuring IS as a third-party Key Manager, the internal user info call fails with a 500 error response.
The exception occurred on the APIM side.
The exception occurred on the IS side.
Steps to Reproduce
[apim.jwt]
enable = true
gateway_generator.enable_claim_retrieval = true
Affected Component
APIM
Version
4.3.0
Environment Details (with versions)
No response
Relevant Log Output
No response
Related Issues
No response
Suggested Labels
No response
The text was updated successfully, but these errors were encountered: