WSO2 API Manager 2.0.0 - LDAP & Publisher API 令牌问题
WSO2 API Manager 2.0.0 - LDAP & Publisher API Token Issue
我已经将 WSO2 API Manager 2.0.0 配置为将内部用户存储作为主要用户存储,并将 LDAP 作为辅助用户存储。我可以使用 LDAP 用户登录 Carbon、Publisher 和 Store UI。我的目标是让 LDAP 用户使用 Publisher REST APIs,我遵循的步骤如下;
创建服务提供商
curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{ "clientName": "rest_api_publisher", "tokenScope": "Production", "owner": "admin", "grantType": "password refresh_token", "saasApp": true }' "http://localhost:9763/client-registration/v0.10/register"
回应
{
"jsonString": "{\"username\":\"admin\",\"redirect_uris\":null,\"client_name\":\"admin_rest_api_publisher\",\"grant_types\":\"urn:ietf:params:oauth:grant-type:saml2-bearer iwa:ntlm refresh_token client_credentials password\"}",
"appOwner": null,
"clientName": null,
"callBackURL": null,
"isSaasApplication": true,
"clientId": "N2GP9igHPkEcotmyE6ccyPLBeh0a",
"clientSecret": "qHO0ZFsaGDGGEaHO_4PXgKOXVWYa"
}
获取管理员用户的访问令牌
curl -X POST -H "Authorization: Basic TjJHUDlpZ0hQa0Vjb3RteUU2Y2N5UExCZWgwYTpxSE8wWkZzYUdER0dFYUhPXzRQWGdLT1hWV1lh" -H "Cache-Control: no-cache" "https://localhost:8243/token?grant_type=password&username=admin&password=admin&scope=apim:api_view%20apim:api_publish%20apim:api_create"
回应
{
"scope": "apim:api_create apim:api_publish apim:api_view",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "787b34a2-55eb-3baa-b83a-7041959781ce",
"access_token": "2b7ad48c-67d8-3ebc-acd8-1d02aca85fdd"
}
如您在本例中所见,范围包含我请求的所有范围。使用此令牌,我可以查询和添加新的 API 并发布它们。我遇到的问题是,当我对 LDAP 用户执行相同操作时,范围是默认的。
(P.S.: 我的二级域名是mzaferyahsi.com)
获取 ldap 用户的访问令牌
curl -X POST -H "Authorization: Basic TjJHUDlpZ0hQa0Vjb3RteUU2Y2N5UExCZWgwYTpxSE8wWkZzYUdER0dFYUhPXzRQWGdLT1hWV1lh" -H "Cache-Control: no-cache" "https://localhost:8243/token?grant_type=password&username=mzaferyahsi.com/<<username>>&password=<<password>>&scope=apim:api_view%20apim:api_publish%20apim:api_create"
回应
{
"scope": "default",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "2a519b92-2fe8-3b85-8da8-6ea8b2eceb6e",
"access_token": "874aac4f-c441-3927-bd1b-cce859e58988"
}
有人遇到过这个问题吗?任何解决方案表示赞赏。
您必须在 tenant-conf.json file 中设置所需的 role-scope 映射。用户还应具有所需的角色。文件是here.
我已经将 WSO2 API Manager 2.0.0 配置为将内部用户存储作为主要用户存储,并将 LDAP 作为辅助用户存储。我可以使用 LDAP 用户登录 Carbon、Publisher 和 Store UI。我的目标是让 LDAP 用户使用 Publisher REST APIs,我遵循的步骤如下;
创建服务提供商
curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{ "clientName": "rest_api_publisher", "tokenScope": "Production", "owner": "admin", "grantType": "password refresh_token", "saasApp": true }' "http://localhost:9763/client-registration/v0.10/register"回应
{ "jsonString": "{\"username\":\"admin\",\"redirect_uris\":null,\"client_name\":\"admin_rest_api_publisher\",\"grant_types\":\"urn:ietf:params:oauth:grant-type:saml2-bearer iwa:ntlm refresh_token client_credentials password\"}", "appOwner": null, "clientName": null, "callBackURL": null, "isSaasApplication": true, "clientId": "N2GP9igHPkEcotmyE6ccyPLBeh0a", "clientSecret": "qHO0ZFsaGDGGEaHO_4PXgKOXVWYa" }获取管理员用户的访问令牌
curl -X POST -H "Authorization: Basic TjJHUDlpZ0hQa0Vjb3RteUU2Y2N5UExCZWgwYTpxSE8wWkZzYUdER0dFYUhPXzRQWGdLT1hWV1lh" -H "Cache-Control: no-cache" "https://localhost:8243/token?grant_type=password&username=admin&password=admin&scope=apim:api_view%20apim:api_publish%20apim:api_create"回应
{ "scope": "apim:api_create apim:api_publish apim:api_view", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "787b34a2-55eb-3baa-b83a-7041959781ce", "access_token": "2b7ad48c-67d8-3ebc-acd8-1d02aca85fdd" }
如您在本例中所见,范围包含我请求的所有范围。使用此令牌,我可以查询和添加新的 API 并发布它们。我遇到的问题是,当我对 LDAP 用户执行相同操作时,范围是默认的。
(P.S.: 我的二级域名是mzaferyahsi.com)
获取 ldap 用户的访问令牌
curl -X POST -H "Authorization: Basic TjJHUDlpZ0hQa0Vjb3RteUU2Y2N5UExCZWgwYTpxSE8wWkZzYUdER0dFYUhPXzRQWGdLT1hWV1lh" -H "Cache-Control: no-cache" "https://localhost:8243/token?grant_type=password&username=mzaferyahsi.com/<<username>>&password=<<password>>&scope=apim:api_view%20apim:api_publish%20apim:api_create"回应
{ "scope": "default", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "2a519b92-2fe8-3b85-8da8-6ea8b2eceb6e", "access_token": "874aac4f-c441-3927-bd1b-cce859e58988" }
有人遇到过这个问题吗?任何解决方案表示赞赏。
您必须在 tenant-conf.json file 中设置所需的 role-scope 映射。用户还应具有所需的角色。文件是here.