search

wso2 / product-apim

Welcome to the WSO2 API Manager source code! For info on working with the WSO2 API Manager repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
846 stars 785 forks source link

[3.2.0] Subscription Events are not updated when using Cross Tenant Subscription #10276

Closed athiththan11 closed 3 years ago

athiththan11 commented 3 years ago

Description:

The following error response is observed in APIM 3.2.0 when trying to invoke an API with Cross Tenant Subscription. Please find the reproducing steps below

<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
  <ams:code>900909</ams:code>
  <ams:message>The subscription to the API is inactive</ams:message>
  <ams:description>User is NOT authorized to access the Resource. API Subscription validation failed.</ams:description>
</ams:fault>

Steps to reproduce:

  1. Configure the API Manager with the following configurations to enable the Cross Tenant Subscription 
    [apim.devportal]
enable_cross_tenant_subscriptions = true
  2. Create two tenants (foo.com and bar.com)
  3. Log in to Foo tenant's Publisher using Foo Admin and publish an API named FooAPI and make the subscription visible to all tenants
  4. Log in to Foo tenant's Devportal using Bar Admin and create an Application in the Foo tenant and subscribe to the API
  5. Generate an Access Token and invoke the API

Affected Product Version:

athiththan11 commented 3 years ago

Description

The same behavior is reproduced when using the Subscription Approval workflow as well in API Manager v3.2.0. Please find the reproducing steps below

Reproducing Steps

  1. Configure the API Manager with Cross Tenant Subscriptions by adding the following configurations in the deployment.toml

    [apim.devportal]
enable_cross_tenant_subscriptions = true
  2. Create two tenants as foo.com and bar.com
  3. Configure both the tenants with Subscription approval workflow Docs
  4. Create and publish an API in each tenant with Cross Tenant Subscription availability
  5. Log in to Foo tenant's Devportal using Bar user and create an Application in the Foo tenant and subscribe to the API
  6. Log in to the Admin portal using the Bar credentials and approve the workflow
  7. Generate an Access Token and invoke the API

Observations

While performing the subscription from the Devportal, the events generated are referring to the foo.com tenant, whereas when we approve the subscription workflow, the generated events are referring to the bar.com. Due to this inconsistent data in the tenants, the Subscription information is not updated in the GW nodes and throwing the above-mentioned error response when trying to invoke the API.

Product

CrowleyRajapakse commented 3 years ago

N/A for public branch