wso2 / product-apim

Welcome to the WSO2 API Manager source code! For info on working with the WSO2 API Manager repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
856 stars 789 forks source link

API Manager 3.2.0 and Keycloak - Unclassified Authentication Failure #9286

Open molinab297-unisys opened 4 years ago

molinab297-unisys commented 4 years ago

Description:

Hello, I'm trying to configure API Manager 3.2.0 to use Keycloak. I followed the instructions here, however when I use API Manager to generate an access token and then try to access my API, I get the following error:

$ curl -X GET "https://localhost:8243/petstore/1.0.0/" -H "accept: application/xml" -H "Authorization: Bearer eyJh.." -k

<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>900900</ams:code><ams:message>Unclassified Authentication Failure</ams:message><ams:description>Error while accessing backend services for API key validation</ams:description></ams:fault>

In the wso2-apigw-errors.log file, I see this:

TID: [-1234] [] [2020-09-21 00:34:51,355] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure due to Unclassified Authentication Failure org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:438)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:418)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:354)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:325)
        at org.apache.synapse.rest.API.process(API.java:373)
        at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:144)
        at org.apache.synapse.rest.RESTRequestHandler.identifyAPI(RESTRequestHandler.java:164)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:73)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:331)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:99)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:188)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)

Am I missing something? It seems that my API Manager can communicate with Keycloak, as it can create clients and generate access tokens just fine. But I get this error whenever I make a request to my backend API using a JWT that was generated by keycloak. If I use the built-in "Resident Key Manager" to generate a JWT and then use that, everything works just fine. Do I need to import any other Keycloak certificates other than the SSL cert that the instructions say to import? Or does API Manager make a request to Keycloak to validate the incoming JWT?

Steps to reproduce:

1). Follow the Configure Keycloak as a Key Manager instructions here. 2). Create an API and Application, then have that Application subscribe to the API. 3). Under the Production keys > keycloak tab, generate an access token. 4). Make request to the gateway with that access token.

Affected Product Version:

3.2.0

Environment details (with versions):


Optional Fields

Related Issues:

Suggested Labels:

Suggested Assignees:

CrowleyRajapakse commented 4 years ago

Hi @molinab297-unisys , Is it possible for you to share the wso2carbon.log as well if you see any errors relevant to the above scenario?

molinab297-unisys commented 4 years ago

Hi @CrowleyRajapakse, it contains the same exception. Here's a snippet from wso2carbon.log:

TID: [-1234] [] [2020-09-22 10:47:55,014]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the keyManager topic...
TID: [-1234] [] [2020-09-22 10:47:55,193]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the throttleData topic...
TID: [-1234] [] [2020-09-22 10:47:55,275]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the tokenRevocation topic...
TID: [-1234] [] [2020-09-22 10:47:55,282]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the cacheInvalidation topic...
TID: [-1234] [] [2020-09-22 10:47:55,296]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the notification topic...
TID: [-1234] [] [2020-09-22 10:47:55,326]  INFO {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - Server           :  WSO2 API Manager-3.2.0
TID: [-1234] [] [2020-09-22 10:47:55,327]  INFO {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - WSO2 Carbon started in 76 sec
TID: [-1] [] [2020-09-22 10:47:56,081]  INFO {org.wso2.callhome.CallHomeExecutor} -
.............................................................................
There are 48 updates available for the product 'wso2am-3.2.0'.[WARNING] There
are 6 critical security updates for the product 'wso2am-3.2.0'. WSO2 strongly
recommends to apply these updates in production as soon as possible.
.............................................................................
TID: [-1] [] [2020-09-22 10:47:56,611]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#cacheInvalidation was successful!
TID: [-1] [] [2020-09-22 10:47:56,612]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#keyManager was successful!
TID: [-1] [] [2020-09-22 10:47:56,626]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#notification was successful!
TID: [-1] [] [2020-09-22 10:47:56,627]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#throttleData was successful!
TID: [-1] [] [2020-09-22 10:47:56,635]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1] [] [2020-09-22 10:47:56,664]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1] [] [2020-09-22 10:47:56,677]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1] [] [2020-09-22 10:47:56,684]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1] [] [2020-09-22 10:47:56,782]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#tokenRevocation was successful!
TID: [-1] [] [2020-09-22 10:47:56,789]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1234] [] [2020-09-22 10:47:56,926]  INFO {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} - Mgt Console URL  : https://localhost:9443/carbon/
TID: [-1234] [] [2020-09-22 10:47:56,926]  INFO {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} - API Developer Portal Default Context : https://localhost:9443/devportal
TID: [-1234] [] [2020-09-22 10:47:56,926]  INFO {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} - API Publisher Default Context : https://localhost:9443/publisher
TID: [-1234] [internal/data/v1] [2020-09-22 10:47:57,174]  INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - An instance of org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl is created for Identity OAuth token generation.
TID: [-1] [] [2020-09-22 10:47:57,216]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : notification
TID: [-1] [] [2020-09-22 10:47:57,216]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : keyManager
TID: [-1] [] [2020-09-22 10:47:57,356]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : cacheInvalidation
TID: [-1] [] [2020-09-22 10:47:57,451]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : tokenRevocation
TID: [-1] [] [2020-09-22 10:47:57,478]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : throttleData
TID: [-1] [] [2020-09-22 10:47:59,648]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : cacheInvalidation of type topic for listener Siddhi-JMS-Consumer#cacheInvalidation have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:47:59,666]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : throttleData of type topic for listener Siddhi-JMS-Consumer#throttleData have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:47:59,683]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : notification of type topic for listener Siddhi-JMS-Consumer#notification have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:47:59,690]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : keyManager of type topic for listener Siddhi-JMS-Consumer#keyManager have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:47:59,794]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : tokenRevocation of type topic for listener Siddhi-JMS-Consumer#tokenRevocation have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:48:46,929]  WARN {org.apache.synapse.transport.http.access.AccessConfiguration} - Error loading properties from file: access-log.properties
TID: [-1] [] [2020-09-22 10:48:46,934]  WARN {org.apache.synapse.commons.util.MiscellaneousUtil} - Error loading properties from a file at from the System defined location: access-log.properties
TID: [-1] [] [2020-09-22 10:48:46,938]  WARN {org.apache.synapse.commons.util.MiscellaneousUtil} - Error loading properties from a file at from the System defined location: access-log.properties
TID: [-1234] [] [2020-09-22 10:48:47,147]  INFO {org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler} - org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler Initialised
TID: [-1234] [] [2020-09-22 10:48:47,400] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure due to Unclassified Authentication Failure org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:438)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:418)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:354)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:325)
        at org.apache.synapse.rest.API.process(API.java:373)
        at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:144)
        at org.apache.synapse.rest.RESTRequestHandler.identifyAPI(RESTRequestHandler.java:164)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:73)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:331)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:99)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:188)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)

I think the problem is that API Manager isn't able to validate the JWT for some reason. How does it do that? Does it use the public certificate from Keycloak to validate the JWT just like API Microgateway?

CrowleyRajapakse commented 4 years ago

Hi @molinab297-unisys , When defining KeyCloak key manager from the admin console can you select the Token Validation Method as Self validate JWT and yes, we use the issuer certificate provided when configuring KeyCloak from the admin console the validate the signature of the JWT token.

Screenshot 2020-09-23 at 12 58 03
molinab297-unisys commented 4 years ago

Hi @CrowleyRajapakse, thanks for your help.

I retrieved the issuer certificate from Keycloak by making the following request:

curl -L -k -X GET https://localhost:9991/auth/realms/master/protocol/openid-connect/certs

and then I extract the certificate from the 'x5c' field and put it in a 'keycloak.crt' file. Then I convert that crt file into a 'pem' file and copy the contents into the API Manager:

Capture

Then I go to my Application in API Manager, select Production Keys, then Keycloak and generate a JWT:

Capture2

I still get the following error whenever I make a request to my backend API with that JWT:

$ curl -X GET "https://localhost:8243/petstore/1.0.0/" -H "accept: application/xml" -H "Authorization: Bearer eyJh.." -k

<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>900900</ams:code><ams:message>Unclassified Authentication Failure</ams:message><ams:description>Error while accessing backend services for API key validation</ams:description></ams:fault>

However like I said earlier, if I use a JWT generated by the Resident Key Manager, it works.

tharindu1st commented 4 years ago

@molinab297-unisys Can you try by giving the JWKS endpoint as the above mentioned and try the same scenario.

matc4 commented 3 years ago

I have the same problem. Any news on this?

akshay-k28 commented 3 years ago

Hi @molinab297-unisys , I am also facing same issue. can you please let me know if you able resolve above issue

afshinsharafi commented 3 months ago

i have this problem too.

givemesumthing commented 1 month ago

I am facing same issue with wso 2.1.0 apim & keycloak