Question & Answer
Question
When performing an apicops pre-upgrade check, we encounter the following error:
** Checking for Invalid OAuth APIs with securityDefinitions object **
Command: apicops-v10 detect-invalid-oauth-providers
*****************************
Error: APIC_APICOPS_1002E - The following OAuth Providers where found to contain a securityDefinitions object.
Remove securityDefinitions object from the OAuth providers:
"subin-oauth-provider1: /api/orgs/<id>/oauth-providers/<id>"
"subin-oauth-provider-store: /api/orgs/<id>/oauth-providers/<id>"
"subin-oauth-provider2: /api/orgs/<id>/oauth-providers/<id>"
Detect OAuth API Security Definitions check failed.
Can we safely delete these securityDefinitions from the mentioned OAuth providers, and if so, how do we do that?
Answer
Yes, you can delete them. Here is a detailed explanation:
In both version 2018 and version 10 architecture, an OAuth provider is a resource, and as a resource, it ignores security definitions and security schemes. Conceptually, the OAuth provider itself does not need additional protection because the OAuth flow dictates how the resource owner is authorized and how tokens are issued or validated. Therefore, security definitions and security schemes do not serve any purpose.
There were some UI and validation defects that caused unexpected problems with maintaining the provider. The defect imposed a requirement that the API key definition and corresponding security scheme properly define the header name, even though the requirement itself would be ignored.
To avoid these issues, it was decided to strip the definition and scheme from the OAuth provider altogether.
While we've tested this code and do not anticipate any issues, considering that security definitions and schemes are currently ignored, removing them should pose no issues. However, rolling back to the previous version is recommended in the event of any issue related to this topic.
Note that when removing/deleting, both the security definition and the security scheme referring to that definition must be removed. In fact, all security definitions and security schemes should be removed.
You can use the --fix flag to delete them as per https://github.com/ibm-apiconnect/apicops/releases for apicops-v10 version 0.10.71
Improved upgrade:detect-invalid-oauth-apis command detects security and securityDefinitions objects in OAuth providers, and includes a --fix flag to update the OAuth providers in the database.
Improved upgrade:detect-invalid-oauth-apis command detects security and securityDefinitions objects in OAuth providers, and includes a --fix flag to update the OAuth providers in the database.
If th pre-upgrade check was not executed, the upgrade will fail with following errors. The fix will be to run the same --fix flag which would delete the invalid entries and upgrade will automatically continue :
For 10.0.5.6 version :
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate 2024-03-26T18:35:53.815Z upgrade:upgrade [00000000-0000-0000-0000-000000000000] Error while upgrading step : 383: {"status":400,"message":["The OAuth provider contains an OpenAPI definition with validation errors."],"errors":["The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used."]}
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate 2024-03-26T18:35:53.816Z sql [00000000-0000-0000-0000-000000000000] [-1699719620] rollbackTransaction
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate 2024-03-26T18:35:53.823Z sql [00000000-0000-0000-0000-000000000000] [-1699719620] releaseConnection
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate Microservice startup failed because of error: {
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate status: 400,
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate message: [
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate 'The OAuth provider contains an OpenAPI definition with validation errors.'
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate ],
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate errors: [
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate "The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used."
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate ]
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate }
management-up-apim-data-populate-381-to-385-c1b1e1f4-nfxr6 apim-data-populate - stack trace: {"status":400,"message":["The OAuth provider contains an OpenAPI definition with validation errors."],"errors":["The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used."]}
For 10.0.7.0 version :
2024-02-02T14:34:39.649Z apim:error [00000000-0000-0000-0000-000000000000] error validating oai doc with extension: {"status":400,"message":["The OAuth provider contains an OpenAPI definition with validation errors."],"errors":["The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used."]}
2024-02-02T14:34:39.656Z bhendi:error [00000000-0000-0000-0000-000000000000] Error in PATCH patch:/api/orgs/:org/oauth-providers/:oauthprovider (oauth_provider.js:update)
- status : 400
- message: The OAuth provider contains an OpenAPI definition with validation errors.
- stack : Error: The OAuth provider contains an OpenAPI definition with validation errors.
at error (/app/node_modules/@apic/apic-util/src/util.js:841:11)
at OauthProvider.validateOPNativeProvider (/routes/oauth_provider.js:966:23)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at OauthProvider.validateOauthProvider (/routes/oauth_provider.js:873:13)
at OauthProvider.updatePreHook (/routes/oauth_provider.js:232:9)
at async OauthProvider.update (/app/node_modules/bhendi/lib/controller.js:2314:9)
at async dispatch (/app/node_modules/bhendi/mw/dispatcher.js:411:20)
at async Array.<anonymous> (/app/node_modules/bhendi/mw/dispatcher.js:325:9)
- errors : The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used.: {"status":400,"message":["The OAuth provider contains an OpenAPI definition with validation errors."],"errors":["The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used."]}
2024-02-02T14:34:39.656Z bhendi:error [00000000-0000-0000-0000-000000000000] invoker::invoke, error for call to patch /orgs/7738bc32-c663-43a3-b24d-94d767c309ec/oauth-providers/a4920041-b254-417a-9fe1-d1363ff75cad (operation id: oauth_provider_update): {"status":400,"message":["The OAuth provider contains an OpenAPI definition with validation errors."],"errors":["The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used."]}
2024-02-02T14:34:39.657Z upgrade:upgrade [00000000-0000-0000-0000-000000000000] Error while upgrading step : 604: {"status":400,"message":["The OAuth provider contains an OpenAPI definition with validation errors."],"errors":["The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used."]}
2024-02-02T14:34:39.657Z sql [00000000-0000-0000-0000-000000000000] [43469] rollbackTransaction
2024-02-02T14:34:39.658Z sql [00000000-0000-0000-0000-000000000000] [43469] releaseConnection
Microservice startup failed because of error: {
status: 400,
message: [
'The OAuth provider contains an OpenAPI definition with validation errors.'
],
errors: [
"The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used."
]
}
- stack trace: {"status":400,"message":["The OAuth provider contains an OpenAPI definition with validation errors."],"errors":["The value of 'name' property in the security definition 'clientIdHeader' for a 'type' property with value 'header' must be either 'X-IBM-Client-Id' or 'X-IBM-Client-Secret' if 'x-key-type' is not used."]}
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"ARM Category":[{"code":"a8m50000000CeCAAA0","label":"API Connect-\u003EManagement and Monitoring (MM)-\u003EUpgrade\/Downgrade"}],"ARM Case Number":"TS016680464","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0.5;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
09 July 2024
UID
ibm17159870