Not Able to add Password Grant in WSO2 APIM with Forgerock as keyManager

Question

Not Able to add Password Grant in WSO2 APIM with Forgerock as keyManager

33 Views Asked by Sathiya At 05 March 2024 at 13:44

I have added forgerock AM as a keymanger to WSO2 API Manager and genrerated key with client credential. But when i created a new Realms with oauth Provider of grant type as "Password", I am not able to generate keys after subscribing the APIs

I have followed the documentation of WSO2 API Manager and forgerock AM.

WSO2 APIM - https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-forgerock-connector/

Forgerock -https://backstage.forgerock.com/docs/am/7.1/authorization-guide/oauth2-authorization.html

I was able to generate the keys with "Cient Credentials" but not with the "Password Grant".

Below is the error i get when i generate keys with Password grant:

Error occurred when generating application keys, Forgerock Error{error='authorization_declined', errorDescription='The user has declined authorization'}

Error from Carbon Logs:

TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.forgerock.client.ForgerockOAuthClient} - Forgerock Error{error='authorization_declined', errorDescription='The user has declined authorization'}
TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.carbon.apimgt.impl.utils.APIUtil} - Error occurred while executing SubscriberKeyMgtClient. org.wso2.carbon.apimgt.api.APIManagementException: Forgerock Error{error='authorization_declined', errorDescription='The user has declined authorization'}
    at org.wso2.forgerock.client.ForgerockOAuthClient.handleError(ForgerockOAuthClient.java:731)
    at org.wso2.forgerock.client.ForgerockOAuthClient.getAccessToken(ForgerockOAuthClient.java:637)
    at org.wso2.forgerock.client.ForgerockOAuthClient.getRegistrationAccessToken(ForgerockOAuthClient.java:214)
    at org.wso2.forgerock.client.ForgerockOAuthClient.createApplication(ForgerockOAuthClient.java:98)


TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor} - Error occurred when updating the status of the Application creation process org.wso2.carbon.apimgt.api.APIManagementException: Error occurred while executing SubscriberKeyMgtClient.
    at org.wso2.carbon.apimgt.impl.utils.APIUtil.handleException_aroundBody82(APIUtil.java:1672)
    at org.wso2.carbon.apimgt.impl.utils.APIUtil.handleException(APIUtil.java:1)
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:182)
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:1)

Caused by: org.wso2.carbon.apimgt.api.APIManagementException: Forgerock Error{error='authorization_declined', errorDescription='The user has declined authorization'}
    at org.wso2.forgerock.client.ForgerockOAuthClient.handleError(ForgerockOAuthClient.java:731)
    at org.wso2.forgerock.client.ForgerockOAuthClient.getAccessToken(ForgerockOAuthClient.java:637)
    at org.wso2.forgerock.client.ForgerockOAuthClient.getRegistrationAccessToken(ForgerockOAuthClient.java:214)
    at org.wso2.forgerock.client.ForgerockOAuthClient.createApplication(ForgerockOAuthClient.java:98)
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:153)
    ... 64 more

TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.carbon.apimgt.impl.APIConsumerImpl} - Could not execute Workflow org.wso2.carbon.apimgt.impl.workflow.WorkflowException: Error occurred while executing SubscriberKeyMgtClient.
    at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete_aroundBody2(ApplicationRegistrationSimpleWorkflowExecutor.java:81)
    at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete(ApplicationRegistrationSimpleWorkflowExecutor.java:1)
    at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute_aroundBody0(ApplicationRegistrationSimpleWorkflowExecutor.java:54)
    at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute(ApplicationRegistrationSimpleWorkflowExecutor.java:1)
    at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalForApplicationRegistration_aroundBody106(APIConsumerImpl.java:2313)
    at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalForApplicationRegistration(APIConsumerImpl.java:1)
    at org.wso2.carbon.apimgt.rest.api.store.v1.impl.ApplicationsApiServiceImpl.applicationsApplicationIdGenerateKeysPost(ApplicationsApiServiceImpl.java:788)
    at org.wso2.carbon.apimgt.rest.api.store.v1.ApplicationsApi.applicationsApplicationIdGenerateKeysPost(ApplicationsApi.java:129)

Caused by: org.wso2.carbon.apimgt.api.APIManagementException: Error occurred while executing SubscriberKeyMgtClient.
    at org.wso2.carbon.apimgt.impl.utils.APIUtil.handleException_aroundBody82(APIUtil.java:1672)
    at org.wso2.carbon.apimgt.impl.utils.APIUtil.handleException(APIUtil.java:1)
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:182)
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:1)
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication_aroundBody6(AbstractApplicationRegistrationWorkflowExecutor.java:120)
    at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:1)
    at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete_aroundBody2(ApplicationRegistrationSimpleWorkflowExecutor.java:77)
    ... 60 more
Caused by: org.wso2.carbon.apimgt.api.APIManagementException: Forgerock Error{error='authorization_declined', errorDescription='The user has declined authorization'}
    at org.wso2.forgerock.client.ForgerockOAuthClient.handleError(ForgerockOAuthClient.java:731)


TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.carbon.apimgt.rest.api.util.exception.GlobalThrowableMapper} - org.wso2.carbon.apimgt.impl.workflow.WorkflowException: Error occurred while executing SubscriberKeyMgtClient.

Original Q&A

There are 1 best solutions below

**Athiththan** · Answer 1 · 2024-03-18T07:07:09.897000

WSO2 API Manager uses the Client Credentials grant to generate an Access Token from ForgeRock to create applications in the respective Key Manager side.

Explaining further, the WSO2 APIM first makes a token call to the ForgeRock Key Manager with the credentials that are defined in the Admin Portal. This token will use the client credentials grant type. Once an access token is obtained by the APIM from ForgeRock, APIM uses the same to proceed with Application Creation and Key Generation underneath with ForgeRock.

Therefore, it is mandatory to keep the Client Credentials grant enabled in the configurations. Failing to do so, the WSO2 APIM starts to fail obtaining an Access Token from the ForgeRock to proceed with the Application/Subscription creations.

Not Able to add Password Grant in WSO2 APIM with Forgerock as keyManager

There are 1 best solutions below

Related Questions in OAUTH-2.0

Related Questions in WSO2

Related Questions in WSO2-API-MANAGER

Related Questions in FORGEROCK

Trending Questions

Popular # Hahtags

Popular Questions