1
votes

We are using WSO2 version 5.5.0. We have configured the API manager, publisher, store and Identity server. For unauthenticated user, we are using client_credentials grant along with device scope. So every browser session will have its own access_token and 60 min token expiry time. With unauthenticated user, we are able to load the application. While accessing the other part application(not logged in flow), API's start responding back with unauthorized(401) error. It fails random time and for random API's. It is not failing specific API call or at specific time, it completely random.

Token gets revoked automatically without getting any call from front-end application. Please help us to understand what could be wrong with our WSO2 configuration. What would be the steps to fix this issue?

Other details - What type of technical details will be required to help you understand the issue? This is how our set up looks like

API Manager is configured to publish all the API's Our front-end application is in angular 7 For Anonymous user, we are using client_credential grant with device scope We are receiving access_token and expiry time from identity server and using it as bearer token along with every API call. We are able access API's only when we pass request header: Authorization: Bearer {access_token} We are noticing a 401 error while accessing the API's as our token state got updated to Revoked in the database on its own(before expiry time). 7.As per the link below we checked our configuration for PoolSize and we are using the recommended value of 0. https://docs.wso2.com/display/IS530/Token+Persistence

1
API Manager response ams:fault xmlns:ams="wso2.org/apimanager/… Credentials</ams:message><ams:description>Access failure for API: /test-api/1.0, version: 1.0 status: (900901) - Invalid Credentials. Make sure you have given the correct access token</ams:description></ams:fault>ms019

1 Answers

0
votes

If you generate access tokens from the store portal, it revokes the previous token which has been generated with client_credentials grant type. So if someone does that from UI, you can expect this behavior.