IMO the "iss" claim should be a configurable value. Reusing some other config such as the Revoke URL is not correct.
IINM, when I went through the code I noticed that we use the same code to generate backend JWT's "iss" as well as /token API JWT's "iss". So whatever change we do has to be made in a backwards compatible way so that we don't break existing applications. On Mon, Jul 23, 2018 at 6:08 AM Malintha Amarasinghe <[email protected]> wrote: > + Dev > > On Mon, Jul 23, 2018 at 6:32 PM, Chamin Dias <[email protected]> wrote: > >> Hi all, >> >> 1. When testing JWT with APIM 2.5.0 + ISKM 5.6.0 + Micro-GW 2.5.0, we >> faced an issue. >> >> *Setup details : Single node APIM Server (no port offset), ISKM (port >> offset 1), Default Micro-GW* >> >> 2. The issuer (iss) is picked from the <RevokeAPIURL> of api-manager.xml >> in ISKM pack after replacing "/revoke" -> "/token". The default value in >> ISKM pack is : https://localhost:${https.nio.port}/revoke >> >> 3. However, when consuming an API with a JWT token, the Micro-GW shows >> the below error. >> >> ERROR [ballerina/http] - Error while validating JWT token : {message:"No >> Registered IDP found for the JWT with issuer name : https://localhost: >> ${https.nio.port}/token >> >> 4. When we decode the JWT (using https://jwt.io/), we found the "iss" as >> follows. (${https.nio.port} has not been resolved properly) >> >> "iss": "https://localhost:${https.nio.port}/token"; >> >> 5. Then we edited the <RevokeAPIURL> of api-manager.xml in ISKM pack as >> follows. >> >> <RevokeAPIURL>https://localhost:8243/revoke</RevokeAPIURL> >> >> *Note* : In micro-gw.conf of Micro-GW 2.5.0, we have the following. >> >> [jwtTokenConfig] >> issuer="https://localhost:8243/token"; >> audience="http://org.wso2.apimgt/gateway"; >> certificateAlias="wso2apim" >> trustStore.path="${ballerina.home}/bre/security/ballerinaTruststore.p12" >> trustStore.password="ballerina" >> >> 6. Then, after repeating the process, the API invocation was fine. >> >> According to the spec (https://tools.ietf.org/html/rfc7519#section-4.1.1), >> "iss" claim identifies the principal that issued the JWT. There is >> another option for this, which is the URL from IS " >> https://localhost:9444/oauth2/token";. But having this in the JWT token >> can expose the IS internal oauth2 token URL. >> >> So shall we go with the https://localhost:8243 approach? >> >> In both cases, we need to hardcode the <RevokeAPIURL> as the port >> property is not resolved properly in non-synapse(IS) environment. >> >> Please share your thoughts. >> >> (Isuru/Malintha/Fazlan - Please add if I have missed anything.) >> >> Thanks. >> >> -- >> Chamin Dias >> Mobile : 0716097455 >> Email : [email protected] >> LinkedIn : https://www.linkedin.com/in/chamindias >> >> > > > -- > Malintha Amarasinghe > *WSO2, Inc. - lean | enterprise | middleware* > http://wso2.com/ > > Mobile : +94 712383306 > -- Nuwan Dias Director - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
