Related
I have set up an Opentelemetry collector which exports metrics to New Relic, but it is giving me the following error:
exporterhelper/queued_retry.go:215 Exporting failed. Will retry the request after interval.
{
"kind": "exporter",
"name": "otlp",
"error": "rpc error: code = DeadlineExceeded desc = context deadline exceeded",
"interval": "7.202545441s"
}
This is my collector.yaml file:
receivers:
otlp:
protocols:
grpc:
http:
exporters:
logging:
loglevel: debug
awsxray:
awsemf:
namespace: PaymentService
otlp:
endpoint: ${NEW_RELIC_OPENTELEMETRY_ENDPOINT}
headers:
api-key: ${NEW_RELIC_LICENSE_KEY}
service:
pipelines:
traces:
receivers: [otlp]
exporters: [otlp]
metrics:
receivers: [otlp]
exporters: [otlp]
logs:
receivers: [otlp]
exporters: [otlp]
I am not sure if whether this is an Opentelemetry issue or a New Relic one.
Also, these are other logs that are showing up:
warn zapgrpc/zapgrpc.go:191 [transport] transport: http2Server.HandleStreams failed to read frame: read tcp 127.0.0.1:4317->127.0.0.1:33316: read: connection reset by peer {
"grpc_log": true
}
If that message is intermittent, its likely that isn’t any issue with either the collector or new relic. The internet has intermittent issues - the customers network may temporarily have connectivity issues or low throughput causing the request to timeout. As indicated in the error message, the request will be retried after some interval.
If the message is consistent, they might be misconfiguring the otlp exporter or their network may not be configured correctly to connect to the new relic OTLP endpoint.
With spring-security 5.7.1 I get
Invalid signature for object [id6...]
This is the error message of the signature verification of the saml assertion. But with version 5.4.2 it works.
This is my application.yml
spring:
security:
saml2:
relyingparty:
registration:
okta-saml:
identityprovider:
entity-id: http://www.okta.com/e...
verification:
credentials:
- certificate-location: "classpath:saml-certificate/okta.crt"
singlesignon:
url: https://dev-7....okta.com/app/dev-7..._appsaml_1/e.../sso/saml
sign-request: false
Maybe something must be changed in application.yml?
have seen the Same problem after updating to Spring Boot 2.7.
the problem is related to verifying the SAML response signature
2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to establish trust of KeyInfo-derived credential 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to verify signature and/or establish trust using any KeyInfo-derived credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Attempting to verify signature using trusted credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Failed to verify signature using either KeyInfo-derived or directly trusted credentials
i am trying to run the webdriverIO tests with cucumber framework on CircleCI, however am running into an issue at the point of executing the test command-
This is my circleCI config.yml which I am using-
version: 2.1
jobs:
build:
docker:
- image: circleci/node:10-browsers
working_directory: ~/project
steps:
- checkout
- restore_cache:
keys:
- v1-dependencies-{{ checksum "package.json" }}
# fallback to using the latest cache if no exact match is found
- v1-dependencies-
- run:
name: "Install dependencies"
command: |
npm install
- save_cache:
paths:
- node_modules
key: v1-dependencies-{{ checksum "package.json" }}
- run:
name: "Run tests"
command: |
npm run test
- store_test_results:
path: ./allure-results
This is my wdio.conf.js-
exports.config = {
//
// ====================
// Runner Configuration
// ====================
//
// WebdriverIO allows it to run your tests in arbitrary locations (e.g. locally or
// on a remote machine).
runner: 'local',
hostname: 'localhost',
port: 4444,
specs: [
'./features/**/*.feature'
],
// Patterns to exclude.
exclude: [
// 'path/to/excluded/files'
],
maxInstances: 10,
capabilities: [{
maxInstances: 5,
browserName: 'chrome',
acceptInsecureCerts: true
}],
logLevel: 'info',
bail: 0,
baseUrl: 'http://localhost',
waitforTimeout: 10000,
connectionRetryTimeout: 120000,
connectionRetryCount: 3,
services: ['selenium-standalone'],
capabilities: [{
maxInstances: 5,
browserName: 'chrome',
}],
args: {
drivers: {
chrome: { version: '83.0.4103' },
}
},
framework: 'cucumber',
reporters: ['spec','allure'],
reporterOptions: {
allure: {
outputDir: './reports/allure-results'
}
},
cucumberOpts: {
require: ['./features/step-definitions/steps.js'],
backtrace: false,
requireModule: ['#babel/register'],
dryRun: false,
failFast: false,
formatter output (repeatable)
format: ['pretty'],
// hide step definition snippets for pending steps
snippets: true,
// hide source uris
source: true,
// <string[]> (name) specify the profile to use
profile: [],
// fail if there are any undefined or pending steps
strict: false,
// (expression) only execute the features or scenarios with tags matching the expression
tagExpression: '#runnow1',
// timeout for step definitions
timeout: 60000,
// Enable this config to treat undefined definitions as warnings.
ignoreUndefinedDefinitions: false
},
}
This is the stack trace of the error I am getting in circleCi-
[0-2] 2020-08-27T14:09:27.770Z ERROR webdriver: session not created: session not created: This version of ChromeDriver only supports Chrome version 83
Build info: version: '3.141.59', revision: 'e82be7d358', time: '2018-11-14T08:25:53'
System info: host: 'f5e174502751', ip: '172.19.0.3', os.name: 'Linux', os.arch: 'amd64', os.version: '4.15.0-1077-aws', java.version: '11.0.6'
Driver info: driver.version: unknown
remote stacktrace: #0 0x561324a36579 <unknown>
at getErrorFromResponseBody (/home/circleci/project/node_modules/webdriver/build/utils.js:121:10)
at WebDriverRequest._request (/home/circleci/project/node_modules/webdriver/build/request.js:149:56)
at process._tickCallback (internal/process/next_tick.js:68:7)
[0-2] 2020-08-27T14:09:27.770Z ERROR #wdio/runner: Error: Failed to create session.
session not created: This version of ChromeDriver only supports Chrome version 83
Build info: version: '3.141.59', revision: 'e82be7d358', time: '2018-11-14T08:25:53'
System info: host: 'f5e174502751', ip: '172.19.0.3', os.name: 'Linux', os.arch: 'amd64', os.version: '4.15.0-1077-aws', java.version: '11.0.6'
Driver info: driver.version: unknown
remote stacktrace: #0 0x561324a36579 <unknown>
at startWebDriverSession (/home/circleci/project/node_modules/webdriver/build/utils.js:45:11)
at process._tickCallback (internal/process/next_tick.js:68:7)
[0-2] Error: Failed to create session.
session not created: This version of ChromeDriver only supports Chrome version 83
Build info: version: '3.141.59', revision: 'e82be7d358', time: '2018-11-14T08:25:53'
System info: host: 'f5e174502751', ip: '172.19.0.3', os.name: 'Linux', os.arch: 'amd64', os.version: '4.15.0-1077-aws', java.version: '11.0.6'
Driver info: driver.version: unknown
remote stacktrace: #0 0x561324a36579 <unknown>
This was a recent regression in the dependency WebdriverIO uses to download the proper version of Chromedriver. The WebdriverIO issue is here.
A temporary workaround suggested in that issue is to tell selenium-service to use a specific version of Chromedriver in the wdio config:
services: [
[
"selenium-standalone",
{
logPath: "logs",
installArgs: {
version: "3.141.5",
baseURL: "https://selenium-release.storage.googleapis.com",
drivers: {
chrome: {
version: "85.0.4183.83",
arch: process.arch,
baseURL: "https://chromedriver.storage.googleapis.com",
},
},
},
args: {
version: "3.141.5",
drivers: {
chrome: {
version: "85.0.4183.83",
arch: process.arch,
},
},
},
},
],
],
I'd suggest using a prebuilt image with Chrome browser or see how it was built in the Dockerfile, ex https://hub.docker.com/r/atools/chrome-headless
Here is an example repo where you can see tests passing in the pipeline https://github.com/mgrybyk/wdio-jasmine-boilerplate
I'm trying to register authenticate with Postman on my Identity Server 4. It worked with .Net Code 2 but I recently updated to .Net Core 3 and did adaptations. I can open my login page, I can login but then I'm not redirected properly. Is stay on login page and each time I click on Login I I loop on login page.
First here is my postman settings
When I click request token I get this page
So my login and password are correct but I keep looping on this page.
Here is my code:
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
namespace Oyg.IdentityServer
{
public class Startup
{
public IWebHostEnvironment Environment { get; }
public Startup(IWebHostEnvironment environment)
{
Environment = environment;
}
public void ConfigureServices(IServiceCollection services)
{
// uncomment, if you want to add an MVC-based UI
services.AddControllersWithViews();
var builder = services.AddIdentityServer()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddDeveloperSigningCredential(persistKey: false)
.AddTestUsers(Config.GetUsers());
// not recommended for production - you need to store your key material somewhere secure
builder.AddDeveloperSigningCredential();
}
public void Configure(IApplicationBuilder app)
{
if (Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
// uncomment if you want to add MVC
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
// uncomment, if you want to add MVC
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
});
}
}
}
And I also give you part of my config
public static IEnumerable<Client> GetClients()
{
return new List<Client>()
{
new Client
{
ClientName = "Postman", //_configuration.GetSection("PostmanClient").GetValue<string>("ClientName"),
ClientId = "f26ee5d6-****.local.app", //_configuration.GetSection("PostmanClient").GetValue<string>("ClientId"),
AllowedGrantTypes = GrantTypes.Code,
AllowOfflineAccess = true,
IdentityTokenLifetime = 60 * 60 * 24,
AccessTokenLifetime = 60 * 60 * 24,
RedirectUris = new List<string>()
{
"https://www.getpostman.com/oauth2/callback"
},
PostLogoutRedirectUris = new List<string>()
{
"https://www.getpostman.com"
},
AllowedCorsOrigins = new List<string>()
{
"https://www.getpostman.com"
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api",
"roles"
},
ClientSecrets = new List<Secret>
{
new Secret("123456".Sha256())
},
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
EnableLocalLogin = true,
Enabled = true
}
};
}
And I can give you this also
{
"issuer": "https://localhost:44367",
"jwks_uri": "https://localhost:44367/.well-known/openid-configuration/jwks",
"authorization_endpoint": "https://localhost:44367/connect/authorize",
"token_endpoint": "https://localhost:44367/connect/token",
"userinfo_endpoint": "https://localhost:44367/connect/userinfo",
"end_session_endpoint": "https://localhost:44367/connect/endsession",
"check_session_iframe": "https://localhost:44367/connect/checksession",
"revocation_endpoint": "https://localhost:44367/connect/revocation",
"introspection_endpoint": "https://localhost:44367/connect/introspect",
"device_authorization_endpoint": "https://localhost:44367/connect/deviceauthorization",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
"openid",
"profile",
"roles",
"oygapi",
"offline_access"
],
"claims_supported": [
"sub",
"name",
"family_name",
"given_name",
"middle_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at",
"role"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported": [
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"subject_types_supported": [
"public"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"request_parameter_supported": true
}
And the logs has requested:
[09:22:07 Information]
Starting host...
[09:22:13 Information] IdentityServer4.Startup
Starting IdentityServer4 version 3.0.1.0
[09:22:13 Information] IdentityServer4.Startup
You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.
[09:22:13 Information] IdentityServer4.Startup
Using the default authentication scheme idsrv for IdentityServer
[09:22:13 Debug] IdentityServer4.Startup
Using idsrv as default ASP.NET Core scheme for authentication
[09:22:13 Debug] IdentityServer4.Startup
Using idsrv as default ASP.NET Core scheme for sign-in
[09:22:13 Debug] IdentityServer4.Startup
Using idsrv as default ASP.NET Core scheme for sign-out
[09:22:13 Debug] IdentityServer4.Startup
Using idsrv as default ASP.NET Core scheme for challenge
[09:22:13 Debug] IdentityServer4.Startup
Using idsrv as default ASP.NET Core scheme for forbid
[09:22:15 Debug] IdentityServer4.Startup
Login Url: /Account/Login
[09:22:15 Debug] IdentityServer4.Startup
Login Return Url Parameter: ReturnUrl
[09:22:15 Debug] IdentityServer4.Startup
Logout Url: /Account/Logout
[09:22:15 Debug] IdentityServer4.Startup
ConsentUrl Url: /consent
[09:22:15 Debug] IdentityServer4.Startup
Consent Return Url Parameter: returnUrl
[09:22:15 Debug] IdentityServer4.Startup
Error Url: /home/error
[09:22:15 Debug] IdentityServer4.Startup
Error Id Parameter: errorId
[09:22:15 Debug] IdentityServer4.Hosting.EndpointRouter
Request path /.well-known/openid-configuration matched to endpoint type Discovery
[09:22:15 Debug] IdentityServer4.Hosting.EndpointRouter
Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
[09:22:15 Information] IdentityServer4.Hosting.IdentityServerMiddleware
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
[09:22:15 Debug] IdentityServer4.Endpoints.DiscoveryEndpoint
Start discovery request
[09:22:29 Debug] IdentityServer4.Hosting.EndpointRouter
Request path /connect/authorize matched to endpoint type Authorize
[09:22:29 Debug] IdentityServer4.Hosting.EndpointRouter
Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeEndpoint
[09:22:29 Information] IdentityServer4.Hosting.IdentityServerMiddleware
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[09:22:29 Debug] IdentityServer4.Endpoints.AuthorizeEndpoint
Start authorize request
[09:22:30 Debug] IdentityServer4.Endpoints.AuthorizeEndpoint
No user present in authorize request
[09:22:30 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation
[09:22:30 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:30 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Checking for PKCE parameters
[09:22:30 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
No PKCE used.
[09:22:30 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[09:22:30 Debug] IdentityServer4.Endpoints.AuthorizeEndpoint
ValidatedAuthorizeRequest
{"ClientId": "f26ee5d6-de33-4375-bc79-54550efa43d9.local.app", "ClientName": "Postman", "RedirectUri": "https://www.getpostman.com/oauth2/callback", "AllowedRedirectUris": ["https://www.getpostman.com/oauth2/callback"], "SubjectId": "anonymous", "ResponseType": "code", "ResponseMode": "query", "GrantType": "authorization_code", "RequestedScopes": "openid profile", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"response_type": "code", "state": "", "client_id": "f26ee5d6-de33-4375-bc79-54550efa43d9.local.app", "scope": "openid profile", "redirect_uri": "https://www.getpostman.com/oauth2/callback"}, "$type": "AuthorizeRequestValidationLog"}
[09:22:30 Information] IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator
Showing login: User is not authenticated
[09:22:30 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation
[09:22:30 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:30 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Checking for PKCE parameters
[09:22:30 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
No PKCE used.
[09:22:30 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[09:22:30 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:39 Debug] IdentityServer4.Hosting.CorsPolicyProvider
CORS request made for path: /Account/Login from origin: null but was ignored because path was not for an allowed IdentityServer CORS endpoint
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation
[09:22:39 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Checking for PKCE parameters
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
No PKCE used.
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[09:22:39 Debug] IdentityServer4.Hosting.IdentityServerAuthenticationService
Augmenting SignInContext
[09:22:39 Debug] IdentityServer4.Hosting.IdentityServerAuthenticationService
Adding idp claim with value: local
[09:22:39 Debug] IdentityServer4.Hosting.IdentityServerAuthenticationService
Adding amr claim with value: pwd
[09:22:39 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: idsrv signed in.
[09:22:39 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:39 Debug] IdentityServer4.Hosting.EndpointRouter
Request path /connect/authorize/callback matched to endpoint type Authorize
[09:22:39 Debug] IdentityServer4.Hosting.EndpointRouter
Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
[09:22:39 Information] IdentityServer4.Hosting.IdentityServerMiddleware
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback
[09:22:39 Debug] IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
Start authorize callback request
[09:22:39 Debug] IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
No user present in authorize request
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation
[09:22:39 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Checking for PKCE parameters
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
No PKCE used.
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[09:22:39 Debug] IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
ValidatedAuthorizeRequest
{"ClientId": "f26ee5d6-de33-4375-bc79-54550efa43d9.local.app", "ClientName": "Postman", "RedirectUri": "https://www.getpostman.com/oauth2/callback", "AllowedRedirectUris": ["https://www.getpostman.com/oauth2/callback"], "SubjectId": "anonymous", "ResponseType": "code", "ResponseMode": "query", "GrantType": "authorization_code", "RequestedScopes": "openid profile", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"response_type": "code", "state": "", "client_id": "f26ee5d6-de33-4375-bc79-54550efa43d9.local.app", "scope": "openid profile", "redirect_uri": "https://www.getpostman.com/oauth2/callback"}, "$type": "AuthorizeRequestValidationLog"}
[09:22:39 Information] IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator
Showing login: User is not authenticated
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation
[09:22:39 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Checking for PKCE parameters
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
No PKCE used.
[09:22:39 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[09:22:39 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:46 Debug] IdentityServer4.Hosting.CorsPolicyProvider
CORS request made for path: /Account/Login from origin: null but was ignored because path was not for an allowed IdentityServer CORS endpoint
[09:22:46 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation
[09:22:46 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:46 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Checking for PKCE parameters
[09:22:46 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
No PKCE used.
[09:22:46 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[09:22:46 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation
[09:22:46 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
[09:22:46 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Checking for PKCE parameters
[09:22:46 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
No PKCE used.
[09:22:46 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[09:22:46 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client f26ee5d6-de33-4375-bc79-54550efa43d9.local.app succeeded.
I'm using Tyk 2.2.0 as an api management oauth2, basic, I need to add the client_credentials oauth2 flow as an allowed_access_types.
I made the following changes in order to generate an access token via this new oauth2 access type:
Create a Tyk Api:
{
"name": "api_oauth_v2_oauth2",
"api_id": "openApi",
"org_id": "",
"definition": {
"location": "header",
"key": "version"
},
"use_oauth2": true,
"oauth_meta": {
"allowed_access_types": [
"authorization_code",
"refresh_token",
"client_credentials"
],
"allowed_authorize_types": [
"code",
"token"
],
"auth_login_redirect": "https://www.dev.docapost.io/dashboard/page/external/client/authorize"
},
"notifications": {
"shared_secret": "",
"oauth_on_keychange_url": "http://provisioning:8080/newton-provisioning-web/v1/external/notify"
},
"version_data": {
"not_versioned": true,
"versions": {
"Default": {
"name": "Default",
"expires": "3000-01-02 15:04",
"use_extended_paths": true,
"extended_paths": {
"ignored": [],
"white_list": [
{"path":"/users/mobiles/{smartPhoneId}/{pushToken}","method_actions":{"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/users","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/objects/boxnumber/{boxNumber}/serialnumber/{serialNumber}","method_actions":{"PUT":{"action":"no_action"},"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/objects","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},
{"path":"/data/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"}}},
{"path":"/data","method_actions":{"POST":{"action":"no_action"}}},
{"path":"/shares","method_actions":{"GET":{"action":"no_action"},"POST":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/subscriptions/preconditions","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/subscriptions/{id}/suspend","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/subscriptions/{id}/configure","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/subscriptions/{id}/resume","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/subscriptions/{id}/cancel","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/subscriptions","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},
{"path":"/objectmodels/{id}/partnerUri","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/objectmodels","method_actions":{"POST":{"action":"no_action"},"GET":{"action":"no_action"}}},
{"path":"/action","method_actions":{"POST":{"action":"no_action"}}},
{"path":"/organizations/repositories","method_actions":{"GET":{"action":"no_action"},"PUT":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/repositories/{repositoryName}","method_actions":{"GET":{"action":"no_action"},"DELETE":{"action":"no_action"}}},
{"path":"/repositories","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/buckets/boxnumber/{boxNumber}/serialnumber/{serialNumber}/code/{code}","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/offers","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/pictures","method_actions":{"GET":{"action":"no_action"}}},
{"path":"/authentication/two-factor/code/{code}","method_actions":{"PUT":{"action":"no_action"}}},
{"path":"/authentication/two-factor/code","method_actions":{"POST":{"action":"no_action"}}},
{"path":"/scripts/{serviceName}/{functionName}","method_actions":{"POST":{"action":"no_action"}}} ],
"black_list": []
}
}
}
},
"proxy": {
"listen_path": "/hub/v2/",
"target_url": "http://mediation:8080/mediation-api/v2/",
"strip_listen_path": true
},
"enable_batch_request_support": false
}
add tyk policy to this new api openApi:
{
"default": {
"access_rights": {
"openApi": {
"allowed_urls": [],
"api_id": "openApi",
"api_name": "moussiApi",
"versions": [
"Default"
]
}
},
"active": true,
"name": "default",
"rate": 100,
"per": 1,
"quota_max": 10000,
"quota_renewal_rate": 3600,
"tags": ["Startup Users"]
}
}
modify tyk.conf to attach policies by adding this lines
{"policies": {
"policy_source": "file”,
"policy_record_name": "./policies/policies.json"
}
}
Reload Tyk configuration
curl -X GET \
http://localhost:8082/tyk/reload/
-H 'x-tyk-authorization: 352d20ee67be67f6341b4c0605b044b8'
Create new Oauth Client with new Api
curl -X POST \
http://localhost:8082/tyk/oauth/clients/create
-H 'content-type: application/json'
-H 'x-tyk-authorization: 352d20ee67be67f6341b4c0605b044b8'
-d '{
"api_id": "openApi",
"redirect_uri": "http://www.myuri.fr"
}'
generate Access Token:
curl -X POST \ http://localhost:8082/hub/v2/oauth/token/ -H 'authorization: Basic MGFmYjBmYWUzYmZkNDNlZDQ0YzhjYTlkNWFiYWIwN2E6T0dKaU5qVXhZak10WXpObU9DMDBZVFkwTFRZME1HUXRabVZoT1dRMU1qTTBNalk0' -H 'content-type: application/x-www-form-urlencoded' -d 'client_id=0afb0fae3bfd43ed44c8ca9d5abab07a&client_secret=OGJiNjUxYjMtYzNmOC00YTY0LTY0MGQtZmVhOWQ1MjM0MjY4&grant_type=client_credentials'
Unfortuanately I got this error while generating access token with client_credentials grant type:
{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request."}
time="Jan 8 13:29:53" level=info msg="Getting client ID:0afb0fae3bfd43ed44c8ca9d5abab07a"
time="Jan 8 13:29:54" level=info msg="[OAuth] Generating new token"
time="Jan 8 13:29:54" level=error msg="ERROR: Couldn't use policy or key rules to create token, failing"
logs
time="Jan 10 08:45:54" level=info msg="Initiating reload"
time="Jan 10 08:45:54" level=info msg="Reload URL Structure - Scheduled"
time="Jan 10 08:46:04" level=info msg="Loading API Specification from /USR/newtprod/tyk/apps/app_api_oauth_v2_oauth2.json"
time="Jan 10 08:46:04" level=info msg="Detected 1 APIs"
time="Jan 10 08:46:04" level=info msg="Loading API configurations."
time="Jan 10 08:46:04" level=info msg="--> Loading API: api_oauth_v2_oauth2"
time="Jan 10 08:46:04" level=info msg="----> Tracking: (no host)"
time="Jan 10 08:46:04" level=info msg="----> Checking security policy: OAuth"
time="Jan 10 08:46:04" level=info msg="----> Setting Listen Path: /hub/v2/"
time="Jan 10 08:46:04" level=info msg="Loading uptime tests..."
time="Jan 10 08:46:04" level=info msg="Initialised API Definitions"
time="Jan 10 08:46:04" level=info msg="API reload complete"
time="Jan 10 08:59:24" level=info msg="Getting client ID:14b2ac609a35405169ee3804db1ab406"
time="Jan 10 08:59:24" level=info msg="[OAuth] Generating new token"
time="Jan 10 08:59:24" level=error msg="ERROR: Couldn't use policy or key rules to create token, failing"
Any idea please.
Thanks
I have just completed a full authentication with this Oauth2 access flow.
be attention you may have to restart the tyk service, a simple reload
does not load new policies into memory.
I illustrated this in an article that I posted a few days ago.
https://dzone.com/articles/tyk-management-api-oauth2-client-credentials-flow