Tuesday, December 16, 2014

How to use account lock/ unlock feature in WSO2 API Manager 1.6.0



You may use account lock/unlock feature to block user token generation. I have tried this in my local machine.Here are the steps i followed.

I installed following features to API Manager 1.6.0 from p2(http://dist.wso2.org/p2/carbon/releases/turing/) repository. For this i used IS 4.5.0 features.
User Profiles Feature
Claim Management Feature
Account Recovery and Credential Management Feature

Create new user named testuser. Grant subscriber permission.

Then install required features to APIM 1.6.0 and restarted server

Then locked test user as follows.
Goto claim management UI and make accountLocked to support by default claim


Then go to users and select required user and lock account


I enabled following property in identity-mgt.properties file.

Identity.Listener.Enable=true
Notification.Sending.Enable=true
Notification.Expire.Time=7200
Notification.Sending.Internally.Managed=true
Authentication.Policy.Enable=true
Authentication.Policy.Account.Lock.On.Failure=true
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
Authentication.Policy.Account.Lock.Time=2


I restarted server to make sure this is not claim cache issue. Now this account is locked and will not be able to use anymore.

Now if you tried to generate token you should see something like this.

curl -k -d "grant_type=password&username=testuser&password=testuser&scope=PRODUCTION" -H "Authorization: Basic ZkZlZkRFY0dtNDFJVk50VUl2YXdMeDJubUxFYTozNG9aTmZhQmpHWHdUQmo1N19mT045dHpqaUVh, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token

{"error":"invalid_grant","error_description":"Provided Authorization Grant is invalid."}

In back end logs you should see this.

[2014-12-18 16:56:28,832]  WARN {org.wso2.carbon.identity.mgt.IdentityMgtEventListener} -  User account is locked for user : testuser. cannot login until the account is unlocked
[2014-12-18 16:56:28,833] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} -  Error when authenticating the user for OAuth Authorization.
org.wso2.carbon.user.core.UserStoreException: 17003
    at org.wso2.carbon.identity.mgt.IdentityMgtEventListener.doPreAuthenticate(IdentityMgtEventListener.java:167)

If you need more information please visit this (https://docs.wso2.com/pages/viewpage.action?pageId=34612027)

No comments:

Post a Comment