0

I set up WSO2 APIM in my local and added simple HelloWorld API to my local Publisher refer to this link . Then, I created a sub tenant in APIM Management Console. I enabled Subscription Availability for all the tenants refer to this link (I'm sure I enabled because I can see the options in Publisher). I open Devportal. In Tenant Developer Portals list, I select carbon.super (in order to see my HelloWorld API which is created by supertenant admin) and then I sign-in with my subtenant id and password. I created my application and generated key and secret. Then, I subscribed my HelloWorld API which is created by supertenant. Everything seems normal.

I can get JWT tokens for supertenant admin and subtenant admin. Here are curl commands:

curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic N25..."

curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=admin@arda.test&password=12345&scope=openid" -H "Authorization: Basic SjM..."

The problem is, when I try to invoke API with a request includes supertenant admin's token, I can get 200OK response, but when I try to use subtenant admin's JWT token, I get this error response:

<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
    <ams:code>900900</ams:code>
    <ams:message>Unclassified Authentication Failure</ams:message>
    <ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>

When I check the logs, I see those:

[2021-06-03 15:42:03,323] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:438) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:418) ~[org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:354) [org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:325) [org.wso2.carbon.apimgt.gateway_6.7.206.jar:?]
        at org.apache.synapse.rest.API.process(API.java:373) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
        at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:144) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
        at org.apache.synapse.rest.RESTRequestHandler.identifyAPI(RESTRequestHandler.java:164) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:73) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:331) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:99) [synapse-core_2.1.7.wso2v183.jar:2.1.7-wso2v183]
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v41.jar:?]
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v183.jar:?]
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:188) [synapse-nhttp-transport_2.1.7.wso2v183.jar:?]
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v41.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at java.lang.Thread.run(Thread.java:834) [?:?]

The curl command which I used is this:

curl -k -X GET https://localhost:8243/hello/1.0.0 -H "Authorization: Bearer eyJ..."

What is the problem? Is this a bug or what I miss?

Community
  • 1
  • 1
Wicaledon
  • 710
  • 1
  • 11
  • 26

1 Answers1

0

If you are using the vanilla pack of APIM 3.2.0 (without wum updates) this is expected. When we released the 3.2.0 version, with the new multiple km architecture, the cross tenant subscription feature was deprecated. It was added to the 3.2.0 again after some time via an wum update. If you have wso2 subscription, the latest wum updated pack has this feature and it is working.

This PR(https://github.com/wso2/carbon-apimgt/pull/9793) adds the feature to the 4.0.0 release.

Lakshitha
  • 1,021
  • 1
  • 6
  • 15
  • thanks for answer. but my question; we dont have paid subscription, we are using free version. The only solution is switch to 4.0.0 ?? – Wicaledon Jun 14 '21 at 12:10
  • You can try applying the fix in the above PR to the source code relevant to the 3.2.0 version. – Lakshitha Jun 15 '21 at 10:28