Use Account Lock feature to block user token generation

Overview

In this blog I will describe how we can block user getting token. So I am using api manager 1.6 with installing IS 4.6.0 features.

UseCase

Sometimes we need to block user for temporary time period doing any user action. One requirement would be block user token generation. Even we remove the permissions from users, they will perform actions . As an example Users will still get tokens via token api even they were blocked. So slution is to lock the user.

Default APIM pack doesn't contain the those account lock feature. So you need to install that feature with user profile feature to proceeed. I have checked with APIM 1.6.0 with IS 4.6.0

NOTE:You can install IS 4.5.0 account lock feature in APIM 1.6.0 , but after enabling clustering you will get issue. So I have decided to go with IS 4.6.0.

Please find the configurations for new feature installation.

Install features

==============================

Step 1

login to API Manager node from browser as admin.

Step 2

Install following features(IF NOT INSTALLED) to API Manager 1.6.0 from

p2(http://dist.wso2.org/p2/carbon/releases/turing/) repository. For this Use IS 4.6.0 features.

User Profiles 4.2.2

Claim Management 4.2.1

Account Recovery and Credential Management 4.2.2

Refer [1] for install features visa UI.

Step 3

Restart the node. Now you're done with feature installation.

Configuration changes

===================================

Step 1

After install the new features you will find identity-mgt.properties in wso2am-1.6.0/repository/conf/security/ folder. Modify the following properties in identity-mgt.properties file

both servers as follows.

Identity.Listener.Enable=true

Notification.Sending.Enable=true

Notification.Expire.Time=7200

Notification.Sending.Internally.Managed=true

Authentication.Policy.Enable=true

Authentication.Policy.Account.Lock.On.Failure=true

Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2

Authentication.Policy.Account.Lock.Time=2

Step 2

Goto claim management UI and make accountLocked to support by default claim.

Step 3

Create new user named testuser. Grant subscriber permission.Then go to users and select required user(testuser)

Goto user profiles > lock account(set FALSE to Account Locked) > update.

Step 4

After this restart the servers.

Test the scenario

===================================

Step 1

Login as test user.Subscribe any API.

Try to generate token like this.

curl -k -d "grant_type=password&username=waruna&password=test123&scope=PRODUCTION" -H "Authorization: Basic b3ZKMEtvVGd4YlJ5c2dBSDVQdGZnOUpJSmtJYTpBVjVZVFJlQkNUaGREUWp2NU0wbUw2VHFkdjhh, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token 

You will get tokens.

Step 2

Login as admin.

Then go to users and select required user(testuser) and goto user profiles > lock account(set TRUE to

Account Locked) > update

Step 3

As Step 1 Try to generate token.

You will following message

{"error":"invalid_grant","error_description":"Provided Authorization Grant is invalid."}

Now you're done

[1]https://docs.wso2.com/display/Carbon420/Installing+Features+via+the+UI