search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 729 forks source link

Cannot login to console post-migration to v7.0 #19946

Closed sanjulamadurapperuma closed 4 months ago

sanjulamadurapperuma commented 9 months ago

Describe the issue:

After a successful migration from v6.1.0 to v7.0.0, starting up the server, and entering the admin credentials to the console, the page is stuck at loading and the following error is thrown at the backend signifying that the role-related tables (i.e. UM_HYBRID_ROLE) have not been migrated properly.

ERROR {org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint} - Error occurred while validating requested scopes. org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error while validating policies roles from authorization service.
    at org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator.getAuthorizedScopes(DefaultOAuth2ScopeValidator.java:209)
    at org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator.validateScope(DefaultOAuth2ScopeValidator.java:103)
    at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.getAuthorizedScopes(AuthorizationHandlerManager.java:395)
    at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.validateRequestedScopes(AuthorizationHandlerManager.java:303)
    at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.validateScopesBeforeConsent(AuthorizationHandlerManager.java:223)
    at org.wso2.carbon.identity.oauth2.OAuth2Service.validateScopesBeforeConsent(OAuth2Service.java:192)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.validateScopesBeforeConsent(OAuth2AuthzEndpoint.java:2934)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.doUserAuthorization(OAuth2AuthzEndpoint.java:2850)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleSuccessfulAuthentication(OAuth2AuthzEndpoint.java:1232)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleAuthenticationResponse(OAuth2AuthzEndpoint.java:1180)
    at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:365)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
    at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:222)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:529)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:279)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:661)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:425)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:357)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:294)
    at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:147)
    at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:123)
    at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38)
    at org.wso2.carbon.identity.cors.valve.CORSValve.invoke(CORSValve.java:83)
    at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:211)
    at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:120)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:110)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:71)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152)
    at org.wso2.carbon.extension.identity.x509Certificate.valve.X509CertificateAuthenticationValve.invoke(X509CertificateAuthenticationValve.java:59)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63)
    at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
    at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandlerException: Error while validation scope with RBAC Scope Validation handler
    at org.wso2.carbon.identity.oauth2.validators.validationhandler.impl.RoleBasedScopeValidationHandler.validateScopes(RoleBasedScopeValidationHandler.java:98)
    at org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator.getAuthorizedScopes(DefaultOAuth2ScopeValidator.java:206)
    ... 66 more
Caused by: org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error occurred while retrieving group id for group : admin
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getUserGroups(AuthzUtil.java:403)
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getRoles(AuthzUtil.java:127)
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getUserRoles(AuthzUtil.java:99)
    at org.wso2.carbon.identity.oauth2.validators.validationhandler.impl.RoleBasedScopeValidationHandler.validateScopes(RoleBasedScopeValidationHandler.java:66)
    ... 67 more
Caused by: org.wso2.carbon.user.core.UserStoreException: Error occurred while retrieving group id for group : admin
    at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:261)
    at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getGroupListOfUser(AbstractUserStoreManager.java:17400)
    at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getGroupListOfUser(AbstractUserStoreManager.java:18310)
    at org.wso2.carbon.identity.oauth2.util.AuthzUtil.getUserGroups(AuthzUtil.java:387)
    ... 70 more
Caused by: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:242)
    ... 73 more
Caused by: java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.wso2.carbon.user.core.common.AbstractUserStoreManager$2.run(AbstractUserStoreManager.java:245)
    ... 75 more
Caused by: org.wso2.carbon.user.core.UserStoreException: Error occurred while retrieving group id for group : admin
    at org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager.doGetGroupFromGroupName(UniqueIDJDBCUserStoreManager.java:3657)
    at org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager.doGetGroupListOfUser(UniqueIDJDBCUserStoreManager.java:3737)
    at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getGroupListOfUser(AbstractUserStoreManager.java:17443)
    ... 80 more
Caused by: java.sql.SQLSyntaxErrorException: Unknown column 'UM_ROLE_UUID' in 'field list'
    at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:118)
    at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)
    at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
    at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)
    at com.mysql.cj.jdbc.ClientPreparedStatement.executeQuery(ClientPreparedStatement.java:1019)
    at jdk.internal.reflect.GeneratedMethodAccessor45.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.apache.tomcat.jdbc.pool.StatementFacade$StatementProxy.invoke(StatementFacade.java:118)
    at com.sun.proxy.$Proxy49.executeQuery(Unknown Source)
    at org.wso2.carbon.user.core.jdbc.UniqueIDJDBCUserStoreManager.doGetGroupFromGroupName(UniqueIDJDBCUserStoreManager.java:3641)
    ... 82 more
sadilchamishka commented 9 months ago

Let's try adding below config.

[user_store] type = "database_unique_id" properties.GroupIDEnabled = false

sanjulamadurapperuma commented 9 months ago

Thanks @sadilchamishka adding the above configuration prior to performing the migration helped mitigate the issue. Hope this will be added to the official migration documentation.

mpmadhavig commented 6 months ago

Kind reminder to add this to official docs.

UdeshAthukorala commented 6 months ago

Realated Migration Task: https://github.com/wso2/product-is/issues/19787

UdeshAthukorala commented 6 months ago

This was already added to the what has changed section: https://github.com/wso2-enterprise/migration-docs/blob/main/identity-server/migration-docs/is-7.0.0/what-has-changed.md#providing-group-unique-id-support

Since we are planning to provide a migration client(https://github.com/wso2/product-is/issues/19787) as well for the group unique id migration, for now I think it is enough to mention this in the what has changed section.