Do we know how IS generates the "iss" when issuing JWT tokens? We should try to leverage that so that we maintain consistency. Again, by making it backwards compatible too.
On Mon, Jul 23, 2018 at 11:01 PM Malintha Amarasinghe <malint...@wso2.com> wrote: > Hi Nuwan, > > We can use a new config under <JWTConfiguration>. If it is not specified, > we can use the config from <RevokeAPIURL>. We can make that config > commented out when shipping. Also, the shipped (default) value can be added > as the token API URL (The same existing value). From these, > existing customers using backend JWT (not doing any changes here) won't > break. > > Do we allow using two different "iss" values for JWT access token and > backend JWT? In both cases, the issuer is the same, so ideally we can use > the same config. But anyone changing this value should be aware that it > will change both "iss" values. > > Thanks! > > On Mon, Jul 23, 2018 at 6:45 PM, Nuwan Dias <nuw...@wso2.com> wrote: > >> IMO the "iss" claim should be a configurable value. Reusing some other >> config such as the Revoke URL is not correct. >> >> IINM, when I went through the code I noticed that we use the same code to >> generate backend JWT's "iss" as well as /token API JWT's "iss". So whatever >> change we do has to be made in a backwards compatible way so that we don't >> break existing applications. >> >> On Mon, Jul 23, 2018 at 6:08 AM Malintha Amarasinghe <malint...@wso2.com> >> wrote: >> >>> + Dev >>> >>> On Mon, Jul 23, 2018 at 6:32 PM, Chamin Dias <cham...@wso2.com> wrote: >>> >>>> Hi all, >>>> >>>> 1. When testing JWT with APIM 2.5.0 + ISKM 5.6.0 + Micro-GW 2.5.0, we >>>> faced an issue. >>>> >>>> *Setup details : Single node APIM Server (no port offset), ISKM (port >>>> offset 1), Default Micro-GW* >>>> >>>> 2. The issuer (iss) is picked from the <RevokeAPIURL> of >>>> api-manager.xml in ISKM pack after replacing "/revoke" -> "/token". The >>>> default value in ISKM pack is : https://localhost: >>>> ${https.nio.port}/revoke >>>> >>>> 3. However, when consuming an API with a JWT token, the Micro-GW shows >>>> the below error. >>>> >>>> ERROR [ballerina/http] - Error while validating JWT token : >>>> {message:"No Registered IDP found for the JWT with issuer name : >>>> https://localhost:${https.nio.port}/token >>>> >>>> 4. When we decode the JWT (using https://jwt.io/), we found the "iss" >>>> as follows. (${https.nio.port} has not been resolved properly) >>>> >>>> "iss": "https://localhost:${https.nio.port}/token"; >>>> >>>> 5. Then we edited the <RevokeAPIURL> of api-manager.xml in ISKM pack >>>> as follows. >>>> >>>> <RevokeAPIURL>https://localhost:8243/revoke</RevokeAPIURL> >>>> >>>> *Note* : In micro-gw.conf of Micro-GW 2.5.0, we have the following. >>>> >>>> [jwtTokenConfig] >>>> issuer="https://localhost:8243/token"; >>>> audience="http://org.wso2.apimgt/gateway"; >>>> certificateAlias="wso2apim" >>>> trustStore.path="${ballerina.home}/bre/security/ballerinaTruststore.p12" >>>> trustStore.password="ballerina" >>>> >>>> 6. Then, after repeating the process, the API invocation was fine. >>>> >>>> According to the spec ( >>>> https://tools.ietf.org/html/rfc7519#section-4.1.1), "iss" claim >>>> identifies the principal that issued the JWT. There is another option >>>> for this, which is the URL from IS "https://localhost:9444/oauth2/token";. >>>> But having this in the JWT token can expose the IS internal oauth2 >>>> token URL. >>>> >>>> So shall we go with the https://localhost:8243 approach? >>>> >>>> In both cases, we need to hardcode the <RevokeAPIURL> as the port >>>> property is not resolved properly in non-synapse(IS) environment. >>>> >>>> Please share your thoughts. >>>> >>>> (Isuru/Malintha/Fazlan - Please add if I have missed anything.) >>>> >>>> Thanks. >>>> >>>> -- >>>> Chamin Dias >>>> Mobile : 0716097455 >>>> Email : cham...@wso2.com >>>> LinkedIn : https://www.linkedin.com/in/chamindias >>>> >>>> >>> >>> >>> -- >>> Malintha Amarasinghe >>> *WSO2, Inc. - lean | enterprise | middleware* >>> http://wso2.com/ >>> >>> Mobile : +94 712383306 >>> >> >> >> -- >> Nuwan Dias >> >> Director - WSO2, Inc. http://wso2.com >> email : nuw...@wso2.com >> Phone : +94 777 775 729 >> > > > > -- > Malintha Amarasinghe > *WSO2, Inc. - lean | enterprise | middleware* > http://wso2.com/ > > Mobile : +94 712383306 > -- Nuwan Dias Director - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
