API Manager 3.2.0 and Keycloak - Unclassified Authentication Failure

[molinab297-unisys]

Description:

Hello, I'm trying to configure API Manager 3.2.0 to use Keycloak. I followed the instructions here, however when I use API Manager to generate an access token and then try to access my API, I get the following error:

$ curl -X GET "https://localhost:8243/petstore/1.0.0/" -H "accept: application/xml" -H "Authorization: Bearer eyJh.." -k

<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>900900</ams:code><ams:message>Unclassified Authentication Failure</ams:message><ams:description>Error while accessing backend services for API key validation</ams:description></ams:fault>

In the wso2-apigw-errors.log file, I see this:

TID: [-1234] [] [2020-09-21 00:34:51,355] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure due to Unclassified Authentication Failure org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:438)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:418)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:354)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:325)
        at org.apache.synapse.rest.API.process(API.java:373)
        at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:144)
        at org.apache.synapse.rest.RESTRequestHandler.identifyAPI(RESTRequestHandler.java:164)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:73)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:331)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:99)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:188)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)

Am I missing something? It seems that my API Manager can communicate with Keycloak, as it can create clients and generate access tokens just fine. But I get this error whenever I make a request to my backend API using a JWT that was generated by keycloak. If I use the built-in "Resident Key Manager" to generate a JWT and then use that, everything works just fine. Do I need to import any other Keycloak certificates other than the SSL cert that the instructions say to import? Or does API Manager make a request to Keycloak to validate the incoming JWT?

Steps to reproduce:

1). Follow the Configure Keycloak as a Key Manager instructions here.
2). Create an API and Application, then have that Application subscribe to the API.
3). Under the Production keys > keycloak tab, generate an access token.
4). Make request to the gateway with that access token.

Affected Product Version:

3.2.0

Environment details (with versions):

• OS: CentOS 7
• Client:
• Env (Docker/K8s): Single standalone instance
• Keycloak: 10.0.2

---

Optional Fields

Related Issues:

Suggested Labels:

Suggested Assignees:

[CrowleyRajapakse]

Hi @molinab297-unisys ,
Is it possible for you to share the wso2carbon.log as well if you see any errors relevant to the above scenario?

[molinab297-unisys]

Hi @CrowleyRajapakse, it contains the same exception. Here's a snippet from wso2carbon.log:

TID: [-1234] [] [2020-09-22 10:47:55,014]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the keyManager topic...
TID: [-1234] [] [2020-09-22 10:47:55,193]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the throttleData topic...
TID: [-1234] [] [2020-09-22 10:47:55,275]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the tokenRevocation topic...
TID: [-1234] [] [2020-09-22 10:47:55,282]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the cacheInvalidation topic...
TID: [-1234] [] [2020-09-22 10:47:55,296]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTransportHandler} - Starting jms topic consumer thread for the notification topic...
TID: [-1234] [] [2020-09-22 10:47:55,326]  INFO {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - Server           :  WSO2 API Manager-3.2.0
TID: [-1234] [] [2020-09-22 10:47:55,327]  INFO {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - WSO2 Carbon started in 76 sec
TID: [-1] [] [2020-09-22 10:47:56,081]  INFO {org.wso2.callhome.CallHomeExecutor} -
.............................................................................
There are 48 updates available for the product 'wso2am-3.2.0'.[WARNING] There
are 6 critical security updates for the product 'wso2am-3.2.0'. WSO2 strongly
recommends to apply these updates in production as soon as possible.
.............................................................................
TID: [-1] [] [2020-09-22 10:47:56,611]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#cacheInvalidation was successful!
TID: [-1] [] [2020-09-22 10:47:56,612]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#keyManager was successful!
TID: [-1] [] [2020-09-22 10:47:56,626]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#notification was successful!
TID: [-1] [] [2020-09-22 10:47:56,627]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#throttleData was successful!
TID: [-1] [] [2020-09-22 10:47:56,635]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1] [] [2020-09-22 10:47:56,664]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1] [] [2020-09-22 10:47:56,677]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1] [] [2020-09-22 10:47:56,684]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1] [] [2020-09-22 10:47:56,782]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Connection attempt: 1 for JMS Provider for listener: Siddhi-JMS-Consumer#tokenRevocation was successful!
TID: [-1] [] [2020-09-22 10:47:56,789]  INFO {org.wso2.carbon.apimgt.jms.listener.utils.JMSTaskManager} - Task manager for Siddhi-JMS-Consumer [re-]initialized
TID: [-1234] [] [2020-09-22 10:47:56,926]  INFO {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} - Mgt Console URL  : https://localhost:9443/carbon/
TID: [-1234] [] [2020-09-22 10:47:56,926]  INFO {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} - API Developer Portal Default Context : https://localhost:9443/devportal
TID: [-1234] [] [2020-09-22 10:47:56,926]  INFO {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} - API Publisher Default Context : https://localhost:9443/publisher
TID: [-1234] [internal/data/v1] [2020-09-22 10:47:57,174]  INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - An instance of org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl is created for Identity OAuth token generation.
TID: [-1] [] [2020-09-22 10:47:57,216]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : notification
TID: [-1] [] [2020-09-22 10:47:57,216]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : keyManager
TID: [-1] [] [2020-09-22 10:47:57,356]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : cacheInvalidation
TID: [-1] [] [2020-09-22 10:47:57,451]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : tokenRevocation
TID: [-1] [] [2020-09-22 10:47:57,478]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSUtils} - Cannot locate destination : throttleData
TID: [-1] [] [2020-09-22 10:47:59,648]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : cacheInvalidation of type topic for listener Siddhi-JMS-Consumer#cacheInvalidation have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:47:59,666]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : throttleData of type topic for listener Siddhi-JMS-Consumer#throttleData have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:47:59,683]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : notification of type topic for listener Siddhi-JMS-Consumer#notification have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:47:59,690]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : keyManager of type topic for listener Siddhi-JMS-Consumer#keyManager have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:47:59,794]  WARN {org.wso2.carbon.apimgt.jms.listener.utils.JMSListener} - Polling tasks on destination : tokenRevocation of type topic for listener Siddhi-JMS-Consumer#tokenRevocation have not yet started after 3 seconds ..
TID: [-1] [] [2020-09-22 10:48:46,929]  WARN {org.apache.synapse.transport.http.access.AccessConfiguration} - Error loading properties from file: access-log.properties
TID: [-1] [] [2020-09-22 10:48:46,934]  WARN {org.apache.synapse.commons.util.MiscellaneousUtil} - Error loading properties from a file at from the System defined location: access-log.properties
TID: [-1] [] [2020-09-22 10:48:46,938]  WARN {org.apache.synapse.commons.util.MiscellaneousUtil} - Error loading properties from a file at from the System defined location: access-log.properties
TID: [-1234] [] [2020-09-22 10:48:47,147]  INFO {org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler} - org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler Initialised
TID: [-1234] [] [2020-09-22 10:48:47,400] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure due to Unclassified Authentication Failure org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:438)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:418)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:354)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:325)
        at org.apache.synapse.rest.API.process(API.java:373)
        at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:144)
        at org.apache.synapse.rest.RESTRequestHandler.identifyAPI(RESTRequestHandler.java:164)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:73)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:331)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:99)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:188)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)

I think the problem is that API Manager isn't able to validate the JWT for some reason. How does it do that? Does it use the public certificate from Keycloak to validate the JWT just like API Microgateway?

[CrowleyRajapakse]

Hi @molinab297-unisys ,
When defining KeyCloak key manager from the admin console can you select the Token Validation Method as Self validate JWT and yes, we use the issuer certificate provided when configuring KeyCloak from the admin console the validate the signature of the JWT token.

[molinab297-unisys]

Hi @CrowleyRajapakse, thanks for your help.

I retrieved the issuer certificate from Keycloak by making the following request:

curl -L -k -X GET https://localhost:9991/auth/realms/master/protocol/openid-connect/certs

and then I extract the certificate from the 'x5c' field and put it in a 'keycloak.crt' file. Then I convert that crt file into a 'pem' file and copy the contents into the API Manager:

Then I go to my Application in API Manager, select Production Keys, then Keycloak and generate a JWT:

I still get the following error whenever I make a request to my backend API with that JWT:

$ curl -X GET "https://localhost:8243/petstore/1.0.0/" -H "accept: application/xml" -H "Authorization: Bearer eyJh.." -k

<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>900900</ams:code><ams:message>Unclassified Authentication Failure</ams:message><ams:description>Error while accessing backend services for API key validation</ams:description></ams:fault>

However like I said earlier, if I use a JWT generated by the Resident Key Manager, it works.

[tharindu1st]

@molinab297-unisys Can you try by giving the JWKS endpoint as the above mentioned and try the same scenario.

[matc4]

I have the same problem. Any news on this?

[akshay-k28]

Hi @molinab297-unisys ,
I am also facing same issue. can you please let me know if you able resolve above issue