我已将 forgerock AM 添加为 WSO2 API Manager 的密钥管理器,并使用客户端凭据进行分类密钥。但是,当我使用授权类型为“密码”的 oauth Provider 创建新领域时,我无法在订阅 API 后生成密钥
我遵循了 WSO2 API Manager 和 forgerock AM 的文档。
WSO2 APIM - https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-forgerock-connector/
Forgerock -https://backstage.forgerock.com/docs/am/7.1/authorization-guide/oauth2-authorization.html
我能够使用“客户端凭据”生成密钥,但不能使用“密码授予”生成密钥。
下面是我使用密码授予生成密钥时遇到的错误:
生成应用程序密钥时发生错误,Forgerock Error{error='authorization_declined', errorDescription='用户已拒绝授权'}
碳原木错误:
TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.forgerock.client.ForgerockOAuthClient} - Forgerock Error{error='authorization_declined', errorDescription='The user has declined authorization'}
TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.carbon.apimgt.impl.utils.APIUtil} - Error occurred while executing SubscriberKeyMgtClient. org.wso2.carbon.apimgt.api.APIManagementException: Forgerock Error{error='authorization_declined', errorDescription='The user has declined authorization'}
at org.wso2.forgerock.client.ForgerockOAuthClient.handleError(ForgerockOAuthClient.java:731)
at org.wso2.forgerock.client.ForgerockOAuthClient.getAccessToken(ForgerockOAuthClient.java:637)
at org.wso2.forgerock.client.ForgerockOAuthClient.getRegistrationAccessToken(ForgerockOAuthClient.java:214)
at org.wso2.forgerock.client.ForgerockOAuthClient.createApplication(ForgerockOAuthClient.java:98)
TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor} - Error occurred when updating the status of the Application creation process org.wso2.carbon.apimgt.api.APIManagementException: Error occurred while executing SubscriberKeyMgtClient.
at org.wso2.carbon.apimgt.impl.utils.APIUtil.handleException_aroundBody82(APIUtil.java:1672)
at org.wso2.carbon.apimgt.impl.utils.APIUtil.handleException(APIUtil.java:1)
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:182)
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:1)
Caused by: org.wso2.carbon.apimgt.api.APIManagementException: Forgerock Error{error='authorization_declined', errorDescription='The user has declined authorization'}
at org.wso2.forgerock.client.ForgerockOAuthClient.handleError(ForgerockOAuthClient.java:731)
at org.wso2.forgerock.client.ForgerockOAuthClient.getAccessToken(ForgerockOAuthClient.java:637)
at org.wso2.forgerock.client.ForgerockOAuthClient.getRegistrationAccessToken(ForgerockOAuthClient.java:214)
at org.wso2.forgerock.client.ForgerockOAuthClient.createApplication(ForgerockOAuthClient.java:98)
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:153)
... 64 more
TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.carbon.apimgt.impl.APIConsumerImpl} - Could not execute Workflow org.wso2.carbon.apimgt.impl.workflow.WorkflowException: Error occurred while executing SubscriberKeyMgtClient.
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete_aroundBody2(ApplicationRegistrationSimpleWorkflowExecutor.java:81)
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete(ApplicationRegistrationSimpleWorkflowExecutor.java:1)
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute_aroundBody0(ApplicationRegistrationSimpleWorkflowExecutor.java:54)
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.execute(ApplicationRegistrationSimpleWorkflowExecutor.java:1)
at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalForApplicationRegistration_aroundBody106(APIConsumerImpl.java:2313)
at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalForApplicationRegistration(APIConsumerImpl.java:1)
at org.wso2.carbon.apimgt.rest.api.store.v1.impl.ApplicationsApiServiceImpl.applicationsApplicationIdGenerateKeysPost(ApplicationsApiServiceImpl.java:788)
at org.wso2.carbon.apimgt.rest.api.store.v1.ApplicationsApi.applicationsApplicationIdGenerateKeysPost(ApplicationsApi.java:129)
Caused by: org.wso2.carbon.apimgt.api.APIManagementException: Error occurred while executing SubscriberKeyMgtClient.
at org.wso2.carbon.apimgt.impl.utils.APIUtil.handleException_aroundBody82(APIUtil.java:1672)
at org.wso2.carbon.apimgt.impl.utils.APIUtil.handleException(APIUtil.java:1)
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication_aroundBody8(AbstractApplicationRegistrationWorkflowExecutor.java:182)
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.dogenerateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:1)
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication_aroundBody6(AbstractApplicationRegistrationWorkflowExecutor.java:120)
at org.wso2.carbon.apimgt.impl.workflow.AbstractApplicationRegistrationWorkflowExecutor.generateKeysForApplication(AbstractApplicationRegistrationWorkflowExecutor.java:1)
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleWorkflowExecutor.complete_aroundBody2(ApplicationRegistrationSimpleWorkflowExecutor.java:77)
... 60 more
Caused by: org.wso2.carbon.apimgt.api.APIManagementException: Forgerock Error{error='authorization_declined', errorDescription='The user has declined authorization'}
at org.wso2.forgerock.client.ForgerockOAuthClient.handleError(ForgerockOAuthClient.java:731)
TID: [-1234] [api/am/devportal] [2024-03-05 13:39:00,763] ERROR {org.wso2.carbon.apimgt.rest.api.util.exception.GlobalThrowableMapper} - org.wso2.carbon.apimgt.impl.workflow.WorkflowException: Error occurred while executing SubscriberKeyMgtClient.
WSO2 API 管理器使用客户端凭证授权从 ForgeRock 生成访问令牌,以在相应的密钥管理器端创建应用程序。
进一步解释一下,WSO2 APIM 首先使用管理门户中定义的凭据对 ForgeRock 密钥管理器进行令牌调用。此令牌将使用客户端凭据授予类型。一旦 APIM 从 ForgeRock 获得访问令牌,APIM 就会使用该令牌在 ForgeRock 下继续进行应用程序创建和密钥生成。
因此,必须在配置中保持启用客户端凭据授予。如果不这样做,WSO2 APIM 将无法从 ForgeRock 获取访问令牌以继续创建应用程序/订阅。