Issue with accessing SCIM endpoints

By: Ujjwal Bhattacharyya user 21 Feb 2017 at 7:21 a.m. CST

20 Responses
Ujjwal Bhattacharyya gravatar
I was able to get done authentication part using Open ID connect. Currently I am exploring SCIM functions using SCIM client. I have followed the steps described in https://www.gluu.org/docs/admin-guide/scim-uma/. I am able to access API using any rest client though SCIM 2 API in test mode. I could not run the Java code given in the example. The error I am getting is as below. Have also attached the oxTrust config file for your reference. I really appreciate your help. Exception in thread "main" gluu.scim.client.exception.ScimInitializationException: Could not get accessToken at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication(UmaScimClientImpl.java:105) at gluu.scim.client.auth.UmaScimClientImpl.init(UmaScimClientImpl.java:84) at gluu.scim.client.BaseScimClientImpl.personSearch(BaseScimClientImpl.java:784) at gluu.scim.client.auth.UmaScimClientImpl.personSearch(UmaScimClientImpl.java:410) at gluu.scim.client.ScimClient.personSearch(ScimClient.java:190) at in.kanaka.local.TestScimClient.testScim1Uma(TestScimClient.java:27) at in.kanaka.local.TestScimClient.main(TestScimClient.java:57) Caused by: gluu.scim.client.exception.ScimInitializationException: Failed to get AAT token at gluu.scim.client.auth.UmaScimClientImpl.initUmaRpt(UmaScimClientImpl.java:174) at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication(UmaScimClientImpl.java:101) ... 6 more Caused by: gluu.scim.client.exception.ScimInitializationException: UMA keyId is empty at gluu.scim.client.auth.UmaScimClientImpl.initUmaRpt(UmaScimClientImpl.java:156) ... 7 more Java Code ============= public class TestScimClient { private static void testScim1Uma(String domain, String umaMetaDataUrl, String umaAatClientId, String umaAatClientJksPath, String umaAatClientJksPassword, String umaAatClientKeyId) throws IOException, JsonGenerationException, JsonMappingException, JAXBException { final ScimClient scimClient = ScimClient.umaInstance(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJksPath, umaAatClientJksPassword, umaAatClientKeyId); ScimResponse response = scimClient.personSearch("uid", "admin", MediaType.APPLICATION_JSON); System.out.println("SCIM1 " + response.getResponseBodyString()); } private static void testScim2Uma(String domain, String umaMetaDataUrl, String umaAatClientId, String umaAatClientJksPath, String umaAatClientJksPassword, String umaAatClientKeyId) throws IOException, JsonGenerationException, JsonMappingException, JAXBException { final Scim2Client scim2Client = Scim2Client.umaInstance(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJksPath, umaAatClientJksPassword, umaAatClientKeyId); String filter = "userName eq \"admin\""; ScimResponse response = scim2Client.searchUsers(filter, 1, 1, "", "", null); System.out.println("SCIM2: " + response.getResponseBodyString()); } public static void main(String[] args) throws IOException, JAXBException { final String domain = "https://demo.gluu/identity/seam/resource/restv1"; final String umaMetaDataUrl = "https://demo.gluu/.well-known/uma-configuration"; final String umaAatClientId = "@!E948.D302.23A2.3F25!0001!D60E.B78A!0008!5C59.9A23"; final String umaAatClientJksPath = "scim-rp.jks"; final String umaAatClientJksPassword = "8iBbJDXS/aKnhlSq6U9thg=="; final String umaAatClientKeyId = ""; testScim1Uma(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJksPath, umaAatClientJksPassword, umaAatClientKeyId); testScim2Uma(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJksPath, umaAatClientJksPassword, umaAatClientKeyId); } } from OxTrust-config.json file ================================ "umaIssuer":"https://demo.gluu", "umaClientId":"@!E948.D302.23A2.3F25!0001!D60E.B78A!0008!5364.7776", "umaClientKeyId":"", "umaResourceId":"1447184268430", "umaScope":"https://demo.gluu/oxauth/seam/resource/restv1/uma/scopes/scim_access", "umaClientKeyStoreFile":"/etc/certs/scim-rs.jks", "umaClientKeyStorePassword":"8iBbJDXS/aKnhlSq6U9thg==", "cssLocation":"", "jsLocation":"", "scimTestMode":false, "scimTestModeAccessToken":"" scim_rp_client_id=@!E948.D302.23A2.3F25!0001!D60E.B78A!0008!5C59.9A23 scim_rs_client_id=@!E948.D302.23A2.3F25!0001!D60E.B78A!0008!5364.7776
U1404
closed

Answers

By Mohib Zico staff 21 Feb 2017 at 7:39 a.m. CST

Copy
Mohib Zico gravatar
Please feel free to search other tickets on this issue. I just did a quick search and got couple of same issue on other tickets.

By Ujjwal Bhattacharyya user 21 Feb 2017 at 10:02 a.m. CST

Copy
Ujjwal Bhattacharyya gravatar
I am doing exactly it's mentioned in those post. But I could not make it work.

By Mohib Zico staff 21 Feb 2017 at 10:20 a.m. CST

Copy
Mohib Zico gravatar
>> I am doing exactly it's mentioned in those post Which link/s you followed? Is there any differences between your environment or other environments?

By Ujjwal Bhattacharyya user 22 Feb 2017 at 3:43 a.m. CST

Copy
Ujjwal Bhattacharyya gravatar
I looked at lots of threads and some of them are below https://support.gluu.org/other/2608/cant-consume-gluu-server-scim-api/ https://support.gluu.org/installation/3472/scim-client-failed-to-get-results/

By Mohib Zico staff 22 Feb 2017 at 4:37 a.m. CST

Copy
Mohib Zico gravatar
Ok.. one last thing before we move for QA. Let's install [3.0.1](https://repo.gluu.org/ubuntu/pool/main/trusty-devel/gluu-server-3.0.1_1-5~trusty+Ub14.04_amd64.deb) and see what you are getting.

By Ujjwal Bhattacharyya user 22 Feb 2017 at 5:53 a.m. CST

Copy
Ujjwal Bhattacharyya gravatar
Sure I will do that the next thing. But it will take some time since the same VM is being used for Open ID connect authentication also which is in use. DO you see any obvious error in my code?

By Ujjwal Bhattacharyya user 23 Feb 2017 at 3:01 a.m. CST

Copy
Ujjwal Bhattacharyya gravatar
I installed gluu server 3.0.0 with no error. When tried to access I got service not available error. The identity service is not started with error below Caused by: org.gluu.site.ldap.persistence.exception.EntryPersistenceException: Failed to find entries with baseDN: ou=attributes,o=@!3FA9.987A.59F1.EC50!0001!72FD.B142,o=gluu, filter: (&(objectClass=top)(objectClass=gluuAttribute)) at org.gluu.site.ldap.persistence.LdapEntryManager.findEntries(LdapEntryManager.java:361)

By Ujjwal Bhattacharyya user 24 Feb 2017 at 3:37 a.m. CST

Copy
Ujjwal Bhattacharyya gravatar
I Installed gluu 3.0.0 on Ubuntu 14.4, but still getting the same error

By Mohib Zico staff 24 Feb 2017 at 3:41 a.m. CST

Copy
Mohib Zico gravatar
Thanks for your testing, we will take a quick look and create Issue of required.

By Ujjwal Bhattacharyya user 01 Mar 2017 at 2:40 a.m. CST

Copy
Ujjwal Bhattacharyya gravatar
Hi Mohib, Do you have any update regarding this issue? I would really appreciate your help as I am stuck with the implementation due to this issue. Regards, ujjwal

By Mohib Zico staff 01 Mar 2017 at 3:04 a.m. CST

Copy
Mohib Zico gravatar
Hi Not yet. We will notify you as soon as we test it.

By Ujjwal Bhattacharyya user 08 Mar 2017 at 3:07 a.m. CST

Copy
Ujjwal Bhattacharyya gravatar
Hi Mohib, Trust you are doing well. Is there anyway we can expedite it? I am really stuck as I could not move ahead without this feature.I need to make some quick decision based on the outcome.

By Mohib Zico staff 08 Mar 2017 at 4:33 a.m. CST

Copy
Mohib Zico gravatar
Hi Ujjwal, Sorry for your trouble. Checked internal ticket status and it's showing 'In progress' as well; that means someone is looking into the issue. But if you need... you can check [VIP Support](https://www.gluu.org/gluu-server/pricing/), VIP support has SLA.

By Michael Schwartz Account Admin 10 Mar 2017 at 3:53 p.m. CST

Copy
Michael Schwartz gravatar
One suggestion, you might want to consider using [oxd](https://oxd.gluu.org) to obtain the UMA access token. Also, the error you posted doesn't make sense. Are you sure your installation was ok? Also, as Zico mentioned, if you purchase a support contract, that comes with consultative support in addition to more involved debugging on coding.

By Ujjwal Bhattacharyya user 12 Mar 2017 at 9:27 p.m. CDT

Copy
Ujjwal Bhattacharyya gravatar
Thanks Michael for your response, but I can't recommend support contract at evaluation phase. After I am sure that it's going to suffice our requirement then I can recommend to buy support contract. I am at evaluation stage and this issue is holding us back.

By William Lowe user 13 Mar 2017 at 1:38 p.m. CDT

Copy
William Lowe gravatar
Thanks, Ujjwal. As I'm sure you can understand, we can only expedite issues for our paying customers. We do our best to resolve community support issues as fast as possible, but we have limited bandwidth for free support.

By Ujjwal Bhattacharyya user 21 Mar 2017 at 4:21 a.m. CDT

Copy
Ujjwal Bhattacharyya gravatar
Can you please confirm if following input parameters are correct for SCIM client umaAatClientId = <scim_rs_client_id> umaAatClientJksPath = "scim-rp.jks"; umaAatClientJksPassword = <scim_rs_client_jks_pass>; umaAatClientKeyId = "";

By Ujjwal Bhattacharyya user 21 Mar 2017 at 5:40 a.m. CDT

Copy
Ujjwal Bhattacharyya gravatar
There is some progress at my end. Now I can get the AAt and RPT token. I am getting the error below while accessing the API, any idea? RESPONSE = {"ticket":"109cca6d-169f-4700-82e8-03b8239abd7a"} Exception in thread "main" gluu.scim.client.exception.ScimInitializationException: Failed to authorize UMA ticket. Error: {"error":"not_authorized_permission","error_description":"The requester is definitively not authorized for this permission according to user policy."} at gluu.scim2.client.auth.UmaScim2ClientImpl.authorizeRpt(UmaScim2ClientImpl.java:226) at gluu.scim2.client.auth.UmaScim2ClientImpl.autorizeRpt(UmaScim2ClientImpl.java:192) at gluu.scim2.client.auth.UmaScim2ClientImpl.searchUsers(UmaScim2ClientImpl.java:453) at gluu.scim2.client.Scim2Client.searchUsers(Scim2Client.java:274) at in.kanaka.local.TestScimClient.testScim2Uma(TestScimClient.java:45) at in.kanaka.local.TestScimClient.main(TestScimClient.java:63) Caused by: org.jboss.resteasy.client.ClientResponseFailure: Error status 403 Forbidden returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:523) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:514) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:508) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:38) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:126) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88) at com.sun.proxy.$Proxy37.requestRptPermissionAuthorization(Unknown Source) at gluu.scim2.client.auth.UmaScim2ClientImpl.authorizeRpt(UmaScim2ClientImpl.java:215) ... 5 more

By Michael Schwartz Account Admin 22 Mar 2017 at 5:21 p.m. CDT

Copy
Michael Schwartz gravatar
Are you using the right client? There is both a client for both the SCIM Client and SCIM RS. Make sure you are using the SCIM Client client_id (sorry for the repetitiveness of that statement...). You can confirm also be checking the client_id in the default authorization script (under Configuration/Custom Scripts/Authorization).

By Ujjwal Bhattacharyya user 24 Mar 2017 at 2:18 a.m. CDT

Copy
Ujjwal Bhattacharyya gravatar
Thanks Michael for your help. The issue has been resolved

Post an answer