Re: [Dev] [APIM 2.5.0 + ISKM 5.6.0 + Micro-GW 2.5.0] JWT issuer value

Mon, 23 Jul 2018 06:08:56 -0700 

+ Dev

On Mon, Jul 23, 2018 at 6:32 PM, Chamin Dias <cham...@wso2.com> wrote:

> Hi all,
>
> 1. When testing JWT with APIM 2.5.0 + ISKM 5.6.0 + Micro-GW 2.5.0, we
> faced an issue.
>
> *Setup details : Single node APIM Server (no port offset), ISKM (port
> offset 1), Default Micro-GW*
>
> 2. The issuer (iss) is picked from the <RevokeAPIURL> of api-manager.xml
> in ISKM pack after replacing "/revoke" -> "/token". The default value in
> ISKM pack is : https://localhost:${https.nio.port}/revoke
>
> 3. However, when consuming an API with a JWT token, the Micro-GW shows the
> below error.
>
> ERROR [ballerina/http] - Error while validating JWT token  : {message:"No
> Registered IDP found for the JWT with issuer name : https://localhost:
> ${https.nio.port}/token
>
> 4. When we decode the JWT (using https://jwt.io/), we found the "iss" as
> follows. (${https.nio.port} has not been resolved properly)
>
> "iss": "https://localhost:${https.nio.port}/token";
>
> 5. Then we edited the <RevokeAPIURL> of api-manager.xml in ISKM pack as
> follows.
>
> <RevokeAPIURL>https://localhost:8243/revoke</RevokeAPIURL>
>
> *Note* : In micro-gw.conf of Micro-GW 2.5.0, we have the following.
>
> [jwtTokenConfig]
> issuer="https://localhost:8243/token";
> audience="http://org.wso2.apimgt/gateway";
> certificateAlias="wso2apim"
> trustStore.path="${ballerina.home}/bre/security/ballerinaTruststore.p12"
> trustStore.password="ballerina"
>
> 6. Then, after repeating the process, the API invocation was fine.
>
> According to the spec (https://tools.ietf.org/html/rfc7519#section-4.1.1),
> "iss" claim identifies the principal that issued the JWT. There is
> another option for this, which is the URL from IS "https://localhost:9444/
> oauth2/token". But having this in the JWT token can expose the IS
> internal oauth2 token URL.
>
> So shall we go with the https://localhost:8243 approach?
>
> In both cases, we need to hardcode the <RevokeAPIURL> as the port
> property is not resolved properly in non-synapse(IS) environment.
>
> Please share your thoughts.
>
> (Isuru/Malintha/Fazlan - Please add if I have missed anything.)
>
> Thanks.
>
> --
> Chamin Dias
> Mobile : 0716097455
> Email : cham...@wso2.com
> LinkedIn : https://www.linkedin.com/in/chamindias
>
>


-- 
Malintha Amarasinghe
*WSO2, Inc. - lean | enterprise | middleware*
http://wso2.com/

Mobile : +94 712383306

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to