i'm trying to generate new access token using Simple oauth (v 5.2.3) module in drupal 9 ,
when I generate private and public keys from module settings , the private and public key files created but the are empty .
and when I generate them by another way , this error shows
and Drupal Log shows this error message :
League\OAuth2\Server\Exception\OAuthServerException: The resource owner or authorization server denied the request. in League\OAuth2\Server\Exception\OAuthServerException::accessDenied()
Related
I'm learning WSO2 Identity Server Fundamentals - V5.11 now, while runnig the application pickup-dispatch by visiting http://localhost.com:8080/pickup-dispatch/index.jsp. I'm able to go to the page with the pickup-dispatch when i click on the login button , i'm getting the error Cannot find an application associated with the given consumer key : FUlim58xqgf3QMsybitgTPBkrKka, in the dispatch.properties file i have changed the consumer key as per the OAuth/OpenID Connect Configuration Oauth Client key & Oauth Client Secret.
i have closed everything and reopened (refreshed) yet i'm receiving this issue. I'm unable to understand where am i going wrong.
I have dockerized our Angular application which have been using WSO2 as API manager . After doing the configurations, i was able to run the application successfully and able to hit all existing api's. The only issue arises when i tried to use oath2/token api for performing login operation of our customer . Even though, the same code was used to perform authentication earlier(before dockerization) without any issues,now i am getting error as
{
"error": "invalid_grant",
"error_description": "Provided Authorization Grant is invalid"
}
Token generation api for login :
https://<myapplicationurl>:9443/oauth2/token
Errors am getting in docker console while trying to login using username 'devtest7#mailinator.com' :
Things to note :
WSO2 AM version is 2.1.0 , WSO2 IS version is 5.3.0
Arguments(headers & parameters) for the request is the same as that
used earlier(except the username and password).
I am able to create a new users and the corresponding user is listed
in Carbondb users list.
The issue exists while trying to login using existing user as well as
newly created users.
I have recently generated new ssl certificate for the application.
Able to login using super admin only . Login using newly created email and username is not working.
I tried solutions seen on stackoverflow which doesn't fixed my issues. Can any one please help?
There is a line in the above logs saying that SP tenant is not equal to user tenant and SP is not SaaS. Are the SP and users are from different tenants? Normally users cannot access SP across different tenants.
If you want to make the SP accessible across different tenants then you need to enable SaaS application option in the SP. Check this doc to learn more about SaaS application https://docs.wso2.com/display/IS530/Adding+and+Configuring+a+Service+Provider
Thanks for everyone who commented and tried to figure out the solution for the issue i mentioned. I got the resolution for the issue . As i tried multiple times to login by doing permutations and combinations in configurations, authentication was blocked for me. As a reason, i couldn't login and generate access token . I was able to resolve it by changing a flag in identity.xml file inside IS .
Changed the UserOperationEventListener enabling from 'true' to 'false' .
Before:
<EventListener enable="true" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" type="org.wso2.carbon.user.core.listener.UserOperationEventListener"/>
After:
<EventListener enable="false" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" type="org.wso2.carbon.user.core.listener.UserOperationEventListener"/>
This change allowed me to block the invalid authentication check. We are anyway adding that check from our code side.
According to the logs, it says
Non-SaaS service Provider's tenant domain is not same as user tenant
domain; carbon.super != mailinator.com
From the logs, the SP's is in the carbon.super tenant. But it considers the user as in the tenant mailinator.com.
When we specify the username for password grant with email as username, we have to use the full username with the tenant domain. (devtest7#mailinator.com#carbon.super).
So I was running my code which involves getting past tweets from a list of twitter users (i'm using application based authentication). I have been running it for around 2 days and now, it throws me an exception,
401:Authentication credentials (https://dev.twitter.com/pages/auth) were missing or incorrect. Ensure that you have set valid consumer key/secret, access token/secret, and the system clock is in sync.
I then found that the access token and access token secret for my application at https://apps.twitter.com/ has been changed. OAuth FAQ guide says "We do not currently expire access tokens" so I'm not sure what is really happening.
Below is the code snippet which does this (I'm using twitter4j library):
private static void getTweetsOfTheseUsers( List<String> usernames )
{
Twitter twit = TwitterAuth.getInstance();
for ( String user : usernames )
{
//get tweets for each user using twit.getUserTimeline();
}
}//end of method
EDIT:
I terminated the app and started again and it's working fine again with the same a/t and a/t/s. Can't really think what happned?
I'm a newbie for ASPnet identity services and we require a following requirement.
Following is the architecture setup
1. Appserver
Appsever having
a. Entity Framework
b. ASP.Net Web API2 Odata services
c. Authorization server
2. Webserver
ASP.Net MVC 5 application (Client which access the App server)
The flow needs to be
MVC5 Cleint application having a login / Register form
While register / login the information needs to send to the authorization server int he app server, Authorize and creating the claims using Identity Services.
Once the Identity has been created in the Authorization server, the client application should logged in
I'm aware of getting bearer token from authentication server and that will be used as header information to access the API service
All we are lacking is the MVC client application should use the same identity claims that have created in the Authorization server.
Is there any way to access the claims which are created in the auth server.
I have got some samples about how to authenticate in the auth server and receiving token though OWIN and from this token we can access the API securely but I need of the client web application needs to sign in based on the token
I have gone through the following links
http://blogs.msdn.com/b/webdev/archive/2013/09/20/understanding-security-features-in-spa-template.aspx
Also, I require to add claims when ever it requires after login as well
I have resolve this issue as follows, but I'm not sure this is the effective method
Once log-in and retrieve the bearer token (this token should assigned with claims identity already such as username, role .. etc)
In the web api AccountController, need to create a method to retrieve the default claims which requires for client web application. Please check the follows
[Authorize]
[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
[Route("UserInfo")]
public UserInfoViewModel GetUserInfo()
{
var firstname = ((ClaimsIdentity)User.Identity).Claims.Where(c => c.Type.Equals("FirstName")).SingleOrDefault();
var lastname = ((ClaimsIdentity)User.Identity).Claims.Where(c => c.Type.Equals("LastName")).SingleOrDefault();
var IsApproved = ((ClaimsIdentity)User.Identity).Claims.Where(c => c.Type.Equals("IsApproved")).SingleOrDefault();
var userinfo = new UserInfoViewModel
{
UserName = User.Identity.GetUserName(),
FirstName = firstname.Value.ToString(),
LastName = lastname.Value.ToString(),
UserApproved = Convert.ToBoolean(IsApproved.Value.ToString()),
HasRegistered = externalLogin == null,
LoginProvider = externalLogin != null ? externalLogin.LoginProvider : null
};
return userinfo;
}
From the client, this actin will be called through the token as a header.
Once we have got the information (is in Json string format) needs to serialize with the UserInfoViewModel class (user defined viewmodel is based on the info we require and send from webapi account) with javascript serializer
Using these viewmodel information, assign them to local storage and using (cookies for my case) as a identity at local
keep logout webapi too when ever you logs out from web app.
Please let me know if you need more info or code
I'm following Brock's tutorial on OAuth2 identity providers: OAuth2 in Thinktecture IdentityServer : OAuth2 identity providers and I'm having problems trying to setup each provider details. I'm trying to use google and facebook.
Google: What I've done is. I've created new project, within which I've gone to APIs & auth > Credentials > Create New Client ID and then chose "Web Application" option. On "Client ID for web application" panel in "Javascript Origins" section I have pasted base URL of my IdSrv (https://somename). I have copied Client ID and Client secret and pasted both into appropriate sections in IdSrv identity provider shown in tutorial. When I run the application I get the invalid_request error from Google saying Invalid parameter value for redirect_uri: Non-public domains not allowed: https://somename/idsrv/issue/hrd/oauth2callback
In case of Facebook, I've created new App, and was trying to set "Site URL" in basic settings to https://somename, but got an alert saying "must be a URL with a valid domain." which I believe is essentially the same as what the Google error message is saying
My question is: How can I deploy a test version of my IdSrv then? I just want a quick and simple environment for testing purposes for now. Am running the IdSrv in my local IIS, was following Dominick installation tutorial video Thinktecture IdentityServer v2 Tutorial: Installation
When we setup IdentityServer for local testing we configure it to run under IIS with a custom host name and then setup a entry in the local hosts file. To google this should appear as a public URL.
An easier approach is to use one of the localhost DNS services that exist.
For example, whatever.vcap.me resolves to 127.0.0.1 as does production.vcap.me, staging.vcap.me and development.vcap.me.