I am trying Secure API by BasicAuth in WSO2 API Manager 4.1.0
GA Release.
There is Backend Service which was protected by Basic Auth Mechanism(Username: [email protected]
, Password: apimtestpwd
), Hosted this backend in WSO2 APIM by follows below mentioned steps.
BasicAuth enabled Under API Configurations section
--> Runtime
in Publisher
BasicAuth Credentials are provided Under API Configurations section
--> Endpoints
Devportal
. There is no subscription added as this was protected with Basic AuthenticationTry Out
or postman
getting 403 Forbidden
ERROR as response{ "code": "900908", "message": "Resource forbidden ", "description": "Resource forbidden " }
Noticed below ERROR Log in wso2carbon.log
[2023-03-30 20:01:49,291] ERROR - BasicAuthAuthenticator Basic Authentication failure: tenant domain mismatch for user :[email protected]
[2023-03-30 20:01:49,291] WARN - APIAuthenticationHandler API authentication failure due to Resource forbidden
PS: User added in wso2 carbon portal under Users and Roles
Section.
@Lakshitha suggested added below lines in deployment.toml
file
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[tenant_mgt]
enable_email_domain= true
[apim.throttling]
#username = "$ref{super_admin.username}@carbon.super"
username = "[email protected]@[email protected]"
[apim.throttling.policy_deploy]
username = "$ref{super_admin.username}@carbon.super"
[apim.throttling.jms]
#username="admin!wso2.com!carbon.super"
username="admin!wso2.com!testdomain.com!carbon.super"
password = "$ref{super_admin.password}"
API Request is not reached to backend URL server. How to resolve this issue?
I think the problem is with the user that you are invoking the API. If you are using email address as username (eg: [email protected]), you have to explicitly enable this (Check this doc). If not, server belives the part after @
as a tenant domain and see for an associated tenant domain.
I think that should be the reason for having this error in the backend.
In your scenario you have basic auth in two layers,
You need to have correct username password credentials for the 2.API security part. These username, password pair has to be included in the wso2 userstore and that's how APIM validates the request.
The credentials for 1. Backend security does not have this requirement as the validation is done from the backend. Not from the APIM server.
Edit: You can't use [email protected] to invoke the API exposed via the API Manager. This user is associated with the backend and for Basic auth at the APIM layer, you need to invoke with a user that is already included in the WSO2 userstore.
Once the server validate the authenticity of the user, it pass the request to backend and for this call, server generates a new basic auth header using the configurations that you have set in the endpoint security section ([email protected] and password). In this backend call, API Manager acts as the client and send the request to the backend server using the basic auth credentials.