WSO2 ApiManager 3.2 - Adaptive Authentication function assignUserRoles is not defined

Question

I am trying to using an openAM external identity provider to authenticate users of the WSO2 developer portal. To do that I need to dynamically add the role Internal/subscriber to user authenticated via openAM because we don't have roles in openAM. So I added the following code to the Script Based Adaptive Authentication:

var onLoginRequest = function(context) {
  executeStep(1, {
    onSuccess: function (context) {
      // Extracting authenticated subject from the first step.
      var user = context.currentKnownSubject;
      assignUserRoles(user, ['Internal/subscriber']);
    }
  });
};​

Trying the authentication I see in the wso2 logs the error "assignUserRoles" is not defined:

TID: [-1234] [] [2021-06-10 10:57:34,273] ERROR {org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JsGraphBuilder} - Error in executing the javascript for service provider : apim_devportal, Javascript Fragment :
function (context) {
        // Extracting authenticated subject from the first step.
        var user = context.currentKnownSubject;
        assignUserRoles(user, ['Internal/subscriber']);
    } <eval>:4 ReferenceError: "assignUserRoles" is not defined
        at jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57)
        at jdk.nashorn.internal.runtime.ECMAErrors.referenceError(ECMAErrors.java:319)
        at jdk.nashorn.internal.runtime.ECMAErrors.referenceError(ECMAErrors.java:291)
        at jdk.nashorn.internal.objects.Global.__noSuchProperty__(Global.java:1442)​

Any idea on how to solve this? Or any other alternative to give a default Internal/subscriber to any user authenticated via OpenAM?

Answer 1

The above-mentioned error is expected in the API Manager servers. This is because the API Manager servers are not built to support Adaptive Authentication as WSO2 IS servers.

So, if you are planning to perform the Adaptive Authentication, the best option would be to deploy a WSO2 IS server as a Key Manager with API Manager and perform the task. Further, as an alternative way, we can implement a custom Provisioning Handler to assign the `Internal/subscriber' role to the provisioning users.

You can refer to the SystemRolesRetainedProvisionHandler.java implementation for more clarity. We can make use of the retrieveRolesToBeDeleted() to append the Internal/subscriber role into the rolesToAdd variable and then configure the custom provisioning handler in the API Manager with the following TOML config

[authentication.framework.extensions]
provisioning_handler = "com.sample.custom.CustomRoleProvisioningHandler"

A sample implementation is given below

// CustomRoleProvisioningHandler.java
import java.util.List;
import java.util.Map;

import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
import org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler;
import org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.SystemRolesRetainedProvisionHandler;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.UserStoreException;

public class CustomRoleProvisioningHandler extends SystemRolesRetainedProvisionHandler {

    @Override
    public void handle(List<String> roles, String subject, Map<String, String> attributes,
            String provisioningUserStoreId, String tenantDomain) throws FrameworkException {
        roles.add("Internal/subscriber");
        super.handle(roles, subject, attributes, provisioningUserStoreId, tenantDomain);
    }
}

Further here are few other implementations for custom provisioning handlers

• tharakawijekoon/custom-provisioning-handler
• nipunthathsara/wso2-custom-provisioning-handler

Hope this helps to achieve your requirement.