我使用WSO2is 5.9,并且已按照如下所示在Deployment.toml中启用了scim工具:
[user_store]:
scim_enabled=true
我尝试使用此命令创建用户:
curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"[email protected]","password":"kimwso2","emails":[{"primary":true,"value":"[email protected]","type":"home"},{"value":"[email protected]","type":"work"}]}' --header "Content-Type:application/json" https://myidentity.com/scim2/Users
我的输出的一部分:
* upload completely sent off: 224 out of 224 bytes
< HTTP/1.1 401
如果我通过GET请求发送scim2,则会收到消息:
No service was found.
使用curl的另一个错误是:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Can not obtain carbon realm service..","status":"500"}* Closing connection 0
在WSO2日志中,我有:
ERROR {org.wso2.carbon.identity.scim2.provider.resources.AbstractResource} - Server error while handling the request. org.wso2.charon3.core.exceptions.CharonException
at org.wso2.carbon.identity.scim2.common.impl.IdentitySCIMManager.getUserManager(IdentitySCIMManager.java:124)
at org.wso2.carbon.identity.scim2.provider.resources.GroupResource.processRequest(GroupResource.java:439)
at org.wso2.carbon.identity.scim2.provider.resources.GroupResource.getGroup(GroupResource.java:305)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:193)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:225)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:607)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:92)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:93)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:146)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:116)
at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:853)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1587)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
URL https://myidentity.com/scim/Users可用于创建用户,但是我无法向新用户添加自定义声明。
由于您正在使用https://myidentity.com/scim2/Users端点,因此我们假定您正在尝试在超级租户中创建用户。
由于您使用电子邮件作为用户名,因此管理员用户名也应为emailusername。如果要在超级租户中创建用户,请使用以下命令。
curl -v -k --user [email protected]:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"[email protected]","password":"kimwso2","emails":[{"primary":true,"value":"[email protected]","type":"home"},{"value":"[email protected]","type":"work"}]}'
--header "Content-Type:application/json" https://localhost:9443/scim2/Users
由于您没有为超级管理员用户使用emailusername,因此收到401未经授权的错误。
如果您试图在承租人中创建用户,则管理员用户名应为emailusername,并附加相应的承租人。并且scim端点也应特定于租户。
当承租人为abc.com时给出一个示例:
curl -v -k --user [email protected]@abc.com:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"[email protected]","password":"kimwso2","emails":[{"primary":true,"value":"[email protected]","type":"home"},{"value":"[email protected]","type":"work"}]}'
--header "Content-Type:application/json" https://localhost:9443/t/abc.com/scim2/Users
您可以参考scim api文档以获取更多参考:https://is.docs.wso2.com/en/5.9.0/develop/using-the-scim-2.0-rest-apis/
似乎您已经使用了包含“ @”字符的用户名“ [email protected]”,并且Identity Server将此用户名解释为电子邮件地址。如果需要使用电子邮件地址作为用户名,则需要在Identity Server中启用电子邮件地址作为用户名。请参考[1]进行配置,并使用上面的curl命令,将[email protected]作为用户名来创建用户。如果您不需要使用电子邮件地址作为用户名,请尝试使用curl命令。
curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"kim","password":"kimwso2","emails":[{"primary":true,"value":"[email protected]","type":"home"},{"value":"[email protected]","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users
[1] https://is.docs.wso2.com/en/5.9.0/learn/using-email-address-as-the-username/