How to set access token in database?

Question

I am migrating old API manager to 4.1 (with one Gateway-worker and one Control-plane) and I want to reuse existing access token and set it in database.

In the old version, an API has an access token with infinite lifetime. This token is deployed in mobile apps, and it is not acceptable to regenerate a new token and redeploy the mobile app.

Actually, I have created the API in the new version (4.1). I'm using opaque token, and I can request this API with the opaque token. I just want to use my old access token instead.

I've tried to set this token in database :

UPDATE "IDN_OAUTH2_ACCESS_TOKEN" SET ACCESS_TOKEN = '64a84d453e9259d2104210035d8436f4',
 ACCESS_TOKEN_HASH = '{"hash":"4cf7cd7f4ddc89b9900554bcf8e3ca71c605c59b278b3996a330f1fd4a3ff372","algorithm":"SHA-256"}'
 WHERE ROWID = 'xxx'

Then I've restarted the gateway for clearing token cache.

I have tested options for disabling token cache : (just for testing)

[apim.cache.gateway_token]
enable = false

[apim.cache.km_token]
enable = false

[apim.cache.restapi_token]
enable = false

When I request a token, my old token is correctly returned by the key manager :

curl -k -X POST https://my-keymanager.dev/oauth2/token -d "grant_type=client_credentials" -H"Authorization: Basic XXXXX"

{"access_token":"64a84d453e9259d2104210035d8436f4","scope":"default","token_type":"Bearer","expires_in":xxx}

But when I try to call the API with this token,

curl -k -X GET "https://my-gateway.dev/test-api/32155" -H "accept: application/json" -H "Authorization: Bearer 64a84d453e9259d2104210035d8436f4"

I have always this error :

{"code":"900901","message":"Invalid Credentials","description":"Access failure for API: 
/my-Api/v2.0.0, version: v2.0.0 status: (900901) - Invalid Credentials. 
Make sure you have provided the correct security credentials"}

DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failed with error 900901 org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /eQuilibre/v2.0.0, version: v2.0.0 status: (900901) - Invalid Credentials at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:536) at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:516) at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:402) at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:353) at org.apache.synapse.api.API.process(API.java:403)

I think there is another step because the gateway don't call the key manager when I call the API.

How can I tell the Gateway to accept the new token ?

EDIT 1 :

I'm using Opaque token in API Manager 4.1 :

How to create an application that generate Opaque token in WSO2 APIM Manager 4.x versions

EDIT 2 :

I'm migrating from 2.6, but it should be the same problem with another version with opaque token. The only think I want to migrate is the value of the token.

Answer 1

Actually, I have created the API in the new version (4.1). I'm using opaque token, and I can request this API with the opaque token. I just want to use my old access token instead.

First of all, we no longer support Opaque tokens out-of-the-box in our latest product versions.

I am migrating old API manager to 4.1 (with one Gateway-worker and one Control-plane) and I want to reuse existing access token and set it in database.

From which version of API Manager are you trying to migrate? The source version is not mentioned. If the source deployment also has JWT tokens, you can migrate existing tokens into the new deployment by migrating your database using our migration scripts.

Based on the error message, I belive you are trying to invoke the new API with the old Opaque access token, whereas the new API Manager 4.1 uses the JWT token by default.

Contact WSO2 Support via [1] for any further support. [1] https://apim.docs.wso2.com/en/latest/install-and-setup/upgrading-wso2-api-manager/upgrading-api-manager/

Answer 2

Yes, if you follow our standard migration scripts, you can migrate existing opaque tokens (that's what is used by APIM v2.6) as it is and your existing applications will continue to function as usual. Only the new applications will use JWT tokens.