Yes +1, and shall we change the configured value in identity.xml to gateway token endpoint? Because otherwise, it will use the default ( https://localhost:9443/oauth2/token) and we are exposing the IS token endpoint to outside. And as we have already registered gateway as the issuer in MG configs, we will have to change there as well if we use the default IS value.
Thanks! On Tue, Jul 24, 2018 at 11:53 AM, Nuwan Dias <nuw...@wso2.com> wrote: > So this means that IS already has a special config for that, which also > means that we do not have to introduce yet another config and can reuse > what IS is already using right? > > On Mon, Jul 23, 2018 at 11:20 PM Malintha Amarasinghe <malint...@wso2.com> > wrote: > >> Looks like they are using the "IDTokenIssuerID" from identity.xml. If it >> is not specified, it uses the token API URL (https://localhost:9443/ >> oauth2/token). >> >> <IDTokenIssuerID>${carbon.protocol}://${carbon.host}:${ >> carbon.management.port}/oauth2/token</IDTokenIssuerID> >> >> [1] https://github.com/wso2-extensions/identity-inbound- >> auth-oauth/blob/v6.0.14/components/org.wso2.carbon. >> identity.oauth/src/main/java/org/wso2/carbon/identity/ >> oauth2/util/OAuth2Util.java#L966-L972 >> >> On Tue, Jul 24, 2018 at 11:36 AM, Nuwan Dias <nuw...@wso2.com> wrote: >> >>> Do we know how IS generates the "iss" when issuing JWT tokens? We should >>> try to leverage that so that we maintain consistency. Again, by making it >>> backwards compatible too. >>> >>> On Mon, Jul 23, 2018 at 11:01 PM Malintha Amarasinghe < >>> malint...@wso2.com> wrote: >>> >>>> Hi Nuwan, >>>> >>>> We can use a new config under <JWTConfiguration>. If it is not >>>> specified, we can use the config from <RevokeAPIURL>. We can make that >>>> config commented out when shipping. Also, the shipped (default) value can >>>> be added as the token API URL (The same existing value). From these, >>>> existing customers using backend JWT (not doing any changes here) won't >>>> break. >>>> >>>> Do we allow using two different "iss" values for JWT access token and >>>> backend JWT? In both cases, the issuer is the same, so ideally we can use >>>> the same config. But anyone changing this value should be aware that it >>>> will change both "iss" values. >>>> >>>> Thanks! >>>> >>>> On Mon, Jul 23, 2018 at 6:45 PM, Nuwan Dias <nuw...@wso2.com> wrote: >>>> >>>>> IMO the "iss" claim should be a configurable value. Reusing some other >>>>> config such as the Revoke URL is not correct. >>>>> >>>>> IINM, when I went through the code I noticed that we use the same code >>>>> to generate backend JWT's "iss" as well as /token API JWT's "iss". So >>>>> whatever change we do has to be made in a backwards compatible way so that >>>>> we don't break existing applications. >>>>> >>>>> On Mon, Jul 23, 2018 at 6:08 AM Malintha Amarasinghe < >>>>> malint...@wso2.com> wrote: >>>>> >>>>>> + Dev >>>>>> >>>>>> On Mon, Jul 23, 2018 at 6:32 PM, Chamin Dias <cham...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> 1. When testing JWT with APIM 2.5.0 + ISKM 5.6.0 + Micro-GW 2.5.0, >>>>>>> we faced an issue. >>>>>>> >>>>>>> *Setup details : Single node APIM Server (no port offset), ISKM >>>>>>> (port offset 1), Default Micro-GW* >>>>>>> >>>>>>> 2. The issuer (iss) is picked from the <RevokeAPIURL> of >>>>>>> api-manager.xml in ISKM pack after replacing "/revoke" -> "/token". The >>>>>>> default value in ISKM pack is : https://localhost:${https.nio. >>>>>>> port}/revoke >>>>>>> >>>>>>> 3. However, when consuming an API with a JWT token, the Micro-GW >>>>>>> shows the below error. >>>>>>> >>>>>>> ERROR [ballerina/http] - Error while validating JWT token : >>>>>>> {message:"No Registered IDP found for the JWT with issuer name : >>>>>>> https://localhost:${https.nio.port}/token >>>>>>> >>>>>>> 4. When we decode the JWT (using https://jwt.io/), we found the >>>>>>> "iss" as follows. (${https.nio.port} has not been resolved properly) >>>>>>> >>>>>>> "iss": "https://localhost:${https.nio.port}/token"; >>>>>>> >>>>>>> 5. Then we edited the <RevokeAPIURL> of api-manager.xml in ISKM >>>>>>> pack as follows. >>>>>>> >>>>>>> <RevokeAPIURL>https://localhost:8243/revoke</RevokeAPIURL> >>>>>>> >>>>>>> *Note* : In micro-gw.conf of Micro-GW 2.5.0, we have the following. >>>>>>> >>>>>>> [jwtTokenConfig] >>>>>>> issuer="https://localhost:8243/token"; >>>>>>> audience="http://org.wso2.apimgt/gateway"; >>>>>>> certificateAlias="wso2apim" >>>>>>> trustStore.path="${ballerina.home}/bre/security/ >>>>>>> ballerinaTruststore.p12" >>>>>>> trustStore.password="ballerina" >>>>>>> >>>>>>> 6. Then, after repeating the process, the API invocation was fine. >>>>>>> >>>>>>> According to the spec (https://tools.ietf.org/html/ >>>>>>> rfc7519#section-4.1.1), "iss" claim identifies the principal that >>>>>>> issued the JWT. There is another option for this, which is the URL >>>>>>> from IS "https://localhost:9444/oauth2/token";. But having this in >>>>>>> the JWT token can expose the IS internal oauth2 token URL. >>>>>>> >>>>>>> So shall we go with the https://localhost:8243 approach? >>>>>>> >>>>>>> In both cases, we need to hardcode the <RevokeAPIURL> as the port >>>>>>> property is not resolved properly in non-synapse(IS) environment. >>>>>>> >>>>>>> Please share your thoughts. >>>>>>> >>>>>>> (Isuru/Malintha/Fazlan - Please add if I have missed anything.) >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> -- >>>>>>> Chamin Dias >>>>>>> Mobile : 0716097455 >>>>>>> Email : cham...@wso2.com >>>>>>> LinkedIn : https://www.linkedin.com/in/chamindias >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Malintha Amarasinghe >>>>>> *WSO2, Inc. - lean | enterprise | middleware* >>>>>> http://wso2.com/ >>>>>> >>>>>> Mobile : +94 712383306 >>>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Director - WSO2, Inc. http://wso2.com >>>>> email : nuw...@wso2.com >>>>> Phone : +94 777 775 729 >>>>> >>>> >>>> >>>> >>>> -- >>>> Malintha Amarasinghe >>>> *WSO2, Inc. - lean | enterprise | middleware* >>>> http://wso2.com/ >>>> >>>> Mobile : +94 712383306 >>>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Director - WSO2, Inc. http://wso2.com >>> email : nuw...@wso2.com >>> Phone : +94 777 775 729 >>> >> >> >> >> -- >> Malintha Amarasinghe >> *WSO2, Inc. - lean | enterprise | middleware* >> http://wso2.com/ >> >> Mobile : +94 712383306 >> > > > -- > Nuwan Dias > > Director - WSO2, Inc. http://wso2.com > email : nuw...@wso2.com > Phone : +94 777 775 729 > -- Malintha Amarasinghe *WSO2, Inc. - lean | enterprise | middleware* http://wso2.com/ Mobile : +94 712383306
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
