Access Delegation — OAuth 2.0 sample WSO2
Recently I was working through one of is-samples — Access Deligation- Oauth 2.0
I was using wso2is-5.11.0. In order for the sample to be compatible with the IS version I am using, there were few steps I had to perform in addition to the tutorial. Thought of updating those here.
The scenario of the sample is as below (extracted from the WSO2 tutorial)
Steps instruct you to;
- Set up Tomcat and install a web App (pickup-dispatch).
- Configure the application as a service provider in IS
- Configure inbound Authentication and use the generated OAuthClient KEy and OAuthClient secret as the consumer key and consumer secret in the WebApp.
- Download and setup backend-service.jar.
- Start the back-end service using with introspectionEnabled set to true.
6. Run the application and test out the scenario
- You get this error from the Catelina console when invoking the service. Basically, it fails after reading admin credentials (as user consent).
26-Jun-2022 22:40:31.723 INFO [localhost-startStop-1] org.wso2.sample.identity.jks.JKSLoader.contextInitialized Setting trust store path to : <Home>/apache-tomcat-8.5.81/webapps/pickup-dispatch/WEB-INF/classes/wso2carbon.jks
This is because the sample was bundled with older security files, but I was using the latest IS.
As a quick hack we replaced above wso2carbon.jks with the same in IS.
cp <IS_HOME>/repository/resources/security/wso2carbon.jks <Tomcat_ Home>/webapps/pickup-dispatch/WEB-INF/classes
2. First time my app accessed the back-end service I got this NoClassDefFoundError
I was on jdk11 and had to switch to jdk8
3. After above, you get below error as you click the ‘add’ booking with backend-service enabled.
Reason is again the backend-service.jar is using an older jks. We checked-out the sample from samples-is/etc/backend-service, copied the latest jks to samples-is/etc/resources/ and built the jar again. Problem was resolved.
4. After fixing above, you get another error while you add a booking; In the back-end it is generated while calling token introspection endpoint.
2022–06–27 18:08:20 ERROR IntrospectionHandler:107 — Error while calling token introspection endpoint
java.io.IOException: Server returned HTTP response code: 403 for URL: https://localhost:9443/oauth2/introspect
Reason being — In the wso2is-5.11.0 we have a scope requirement as well when using a bearer token to invoke APIs. The token generated from pickup-dispatch does not have a scope.
To overcome this we added below to the deployment.toml file. With this config, that requirement is removed. So anyone with any active access token can call the endpoint now and no need to obtain the token with that scope
permissions =