Looks like they are using the "IDTokenIssuerID" from identity.xml. If it is
not specified, it uses the token API URL (
https://localhost:9443/oauth2/token).
<IDTokenIssuerID>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</IDTokenIssuerID>
[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.0.14/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L966-L972
On Tue, Jul 24, 2018 at 11:36 AM, Nuwan Dias <[email protected]> wrote:
> Do we know how IS generates the "iss" when issuing JWT tokens? We should
> try to leverage that so that we maintain consistency. Again, by making it
> backwards compatible too.
>
> On Mon, Jul 23, 2018 at 11:01 PM Malintha Amarasinghe <[email protected]>
> wrote:
>
>> Hi Nuwan,
>>
>> We can use a new config under <JWTConfiguration>. If it is not specified,
>> we can use the config from <RevokeAPIURL>. We can make that config
>> commented out when shipping. Also, the shipped (default) value can be added
>> as the token API URL (The same existing value). From these,
>> existing customers using backend JWT (not doing any changes here) won't
>> break.
>>
>> Do we allow using two different "iss" values for JWT access token and
>> backend JWT? In both cases, the issuer is the same, so ideally we can use
>> the same config. But anyone changing this value should be aware that it
>> will change both "iss" values.
>>
>> Thanks!
>>
>> On Mon, Jul 23, 2018 at 6:45 PM, Nuwan Dias <[email protected]> wrote:
>>
>>> IMO the "iss" claim should be a configurable value. Reusing some other
>>> config such as the Revoke URL is not correct.
>>>
>>> IINM, when I went through the code I noticed that we use the same code
>>> to generate backend JWT's "iss" as well as /token API JWT's "iss". So
>>> whatever change we do has to be made in a backwards compatible way so that
>>> we don't break existing applications.
>>>
>>> On Mon, Jul 23, 2018 at 6:08 AM Malintha Amarasinghe <[email protected]>
>>> wrote:
>>>
>>>> + Dev
>>>>
>>>> On Mon, Jul 23, 2018 at 6:32 PM, Chamin Dias <[email protected]> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> 1. When testing JWT with APIM 2.5.0 + ISKM 5.6.0 + Micro-GW 2.5.0, we
>>>>> faced an issue.
>>>>>
>>>>> *Setup details : Single node APIM Server (no port offset), ISKM (port
>>>>> offset 1), Default Micro-GW*
>>>>>
>>>>> 2. The issuer (iss) is picked from the <RevokeAPIURL> of
>>>>> api-manager.xml in ISKM pack after replacing "/revoke" -> "/token". The
>>>>> default value in ISKM pack is : https://localhost:${https.nio.
>>>>> port}/revoke
>>>>>
>>>>> 3. However, when consuming an API with a JWT token, the Micro-GW shows
>>>>> the below error.
>>>>>
>>>>> ERROR [ballerina/http] - Error while validating JWT token :
>>>>> {message:"No Registered IDP found for the JWT with issuer name :
>>>>> https://localhost:${https.nio.port}/token
>>>>>
>>>>> 4. When we decode the JWT (using https://jwt.io/), we found the "iss"
>>>>> as follows. (${https.nio.port} has not been resolved properly)
>>>>>
>>>>> "iss": "https://localhost:${https.nio.port}/token";
>>>>>
>>>>> 5. Then we edited the <RevokeAPIURL> of api-manager.xml in ISKM pack
>>>>> as follows.
>>>>>
>>>>> <RevokeAPIURL>https://localhost:8243/revoke</RevokeAPIURL>
>>>>>
>>>>> *Note* : In micro-gw.conf of Micro-GW 2.5.0, we have the following.
>>>>>
>>>>> [jwtTokenConfig]
>>>>> issuer="https://localhost:8243/token";
>>>>> audience="http://org.wso2.apimgt/gateway";
>>>>> certificateAlias="wso2apim"
>>>>> trustStore.path="${ballerina.home}/bre/security/
>>>>> ballerinaTruststore.p12"
>>>>> trustStore.password="ballerina"
>>>>>
>>>>> 6. Then, after repeating the process, the API invocation was fine.
>>>>>
>>>>> According to the spec (https://tools.ietf.org/html/
>>>>> rfc7519#section-4.1.1), "iss" claim identifies the principal that
>>>>> issued the JWT. There is another option for this, which is the URL
>>>>> from IS "https://localhost:9444/oauth2/token";. But having this in the
>>>>> JWT token can expose the IS internal oauth2 token URL.
>>>>>
>>>>> So shall we go with the https://localhost:8243 approach?
>>>>>
>>>>> In both cases, we need to hardcode the <RevokeAPIURL> as the port
>>>>> property is not resolved properly in non-synapse(IS) environment.
>>>>>
>>>>> Please share your thoughts.
>>>>>
>>>>> (Isuru/Malintha/Fazlan - Please add if I have missed anything.)
>>>>>
>>>>> Thanks.
>>>>>
>>>>> --
>>>>> Chamin Dias
>>>>> Mobile : 0716097455
>>>>> Email : [email protected]
>>>>> LinkedIn : https://www.linkedin.com/in/chamindias
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Malintha Amarasinghe
>>>> *WSO2, Inc. - lean | enterprise | middleware*
>>>> http://wso2.com/
>>>>
>>>> Mobile : +94 712383306
>>>>
>>>
>>>
>>> --
>>> Nuwan Dias
>>>
>>> Director - WSO2, Inc. http://wso2.com
>>> email : [email protected]
>>> Phone : +94 777 775 729
>>>
>>
>>
>>
>> --
>> Malintha Amarasinghe
>> *WSO2, Inc. - lean | enterprise | middleware*
>> http://wso2.com/
>>
>> Mobile : +94 712383306
>>
>
>
> --
> Nuwan Dias
>
> Director - WSO2, Inc. http://wso2.com
> email : [email protected]
> Phone : +94 777 775 729
>
--
Malintha Amarasinghe
*WSO2, Inc. - lean | enterprise | middleware*
http://wso2.com/
Mobile : +94 712383306
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
