Application User tokens Gives Resource Forbidden error in WSO2 API Manager

Question

I have configured wso2 identity server as a key manager for wso2 api manager using the following link.1

I have created the api through wso2 api manager publisher.And i have given auth type as Application&Application user.

When i am invoking api's through application token it is fine.But when i am using user tokens it gives me this error.

   <ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>900908</ams:code>
    <ams:message>Resource forbidden </ams:message>
    <ams:description>Access failure for API: /t/dev-peakhealth.com/dev-api/1.0, version: 1.0</ams:description>
    </ams:fault>

API manager Logs:

    TID: [3] [] [2016-06-13 19:18:07,074] @dev-peakhealth.com [3] [AM]DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} -  Call to API gateway : API call failed reason=API_authentication_failure [email protected] transactionId=urn:uuid:63675ed0-1b95-4a06-9b2c-b3f7ad3daa18 with userAgent=curl/7.35.0 with accessToken=Bearer ca8569957cf1fb5d58f5b70d9649d982 for requestURI=/t/dev-peakhealth.com/dev-api/1.0/careplans at time=Mon Jun 13 19:18:07 IST 2016 from clientIP=192.168.4.31, elapsedTimeInMilliseconds=0 {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler}
TID: [3] [] [2016-06-13 19:18:07,074] @dev-peakhealth.com [3] [AM] WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} -  API authentication failure due to Resource forbidden  {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler}
TID: [3] [] [2016-06-13 19:18:07,075] @dev-peakhealth.com [3] [AM]DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} -  API authentication failed with error 900908 {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler}
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /t/dev-peakhealth.com/dev-api/1.0, version: 1.0
    at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:221)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:130)
    at org.apache.synapse.rest.API.process(API.java:322)
    at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:86)
    at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:65)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:295)
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:83)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.wso2.carbon.core.multitenancy.MultitenantMessageReceiver.processRESTRequest(MultitenantMessageReceiver.java:617)
    at org.wso2.carbon.core.multitenancy.MultitenantMessageReceiver.doNhttpREST(MultitenantMessageReceiver.java:556)
    at org.wso2.carbon.core.multitenancy.MultitenantMessageReceiver.doREST(MultitenantMessageReceiver.java:366)
    at org.wso2.carbon.core.multitenancy.MultitenantMessageReceiver.processRequest(MultitenantMessageReceiver.java:224)
    at org.wso2.carbon.core.multitenancy.MultitenantMessageReceiver.receive(MultitenantMessageReceiver.java:78)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:317)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:149)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

Please help to resolve on this.

Answer 1

Make sure you are passing the appropriate Client ID and Client Secret in the Authorization header when generating the user token. Also, make sure that the application that owns this ID/Secret pair is subscribed to the API you want to use.

I had the same error when I was trying to use tokens generated for another application (with a different ID/Secret pair), which was not subscribed to use the API I was trying to use.

Answer 2

Usually this error happens when you invoke APIs with tokens obtained for different auth type. You may try to delete all resources and recreate them from API publisher. Then save/publish API and restart server. If this do not work even after that we need to check database level and see what happened. Also please let us know what is the API Manager version you are using.

To check database you can run following 2 queries. First we need to get API details by passing API name.

select * from am_api where API_NAME='your_api_name';

Then once we have API_ID (from above query) we can get auth schemas and other resource details associated with API with following query.

select * from AM_API_URL_MAPPING where API_ID='API_id_obtained_from_previous_step';