Hi, I quickly checked the backend JWT scenario and observed the following.
1. <RevokeAPIURL> is set as follows (in api-manager.xml) <RevokeAPIURL>https://localhost:8243/revoke</RevokeAPIURL> 2. The resolved value of "iss" of the backend JWT is, "iss": "wso2.org/products/am" Based on the code, it seems like inbound JWT token is using the value in the configuration while outbound JWT token is using a constant ([1] and [2]). That means if we change the value in the config, it won't affect the backend. [1] https://github.com/wso2/carbon-apimgt/blob/v6.3.95/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/token/AbstractJWTGenerator.java#L66 [2] https://github.com/wso2/carbon-apimgt/blob/v6.3.95/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/token/JWTGenerator.java#L67 Thanks. On Tue, Jul 24, 2018 at 11:58 AM, Malintha Amarasinghe <malint...@wso2.com> wrote: > Yes +1, and shall we change the configured value in identity.xml to > gateway token endpoint? Because otherwise, it will use the default ( > https://localhost:9443/oauth2/token) and we are exposing the IS token > endpoint to outside. And as we have already registered gateway as the > issuer in MG configs, we will have to change there as well if we use the > default IS value. > > Thanks! > > On Tue, Jul 24, 2018 at 11:53 AM, Nuwan Dias <nuw...@wso2.com> wrote: > >> So this means that IS already has a special config for that, which also >> means that we do not have to introduce yet another config and can reuse >> what IS is already using right? >> >> On Mon, Jul 23, 2018 at 11:20 PM Malintha Amarasinghe <malint...@wso2.com> >> wrote: >> >>> Looks like they are using the "IDTokenIssuerID" from identity.xml. If >>> it is not specified, it uses the token API URL ( >>> https://localhost:9443/oauth2/token). >>> >>> <IDTokenIssuerID>${carbon.protocol}://${carbon.host}:${carbo >>> n.management.port}/oauth2/token</IDTokenIssuerID> >>> >>> [1] https://github.com/wso2-extensions/identity-inbound-auth- >>> oauth/blob/v6.0.14/components/org.wso2.carbon.identity. >>> oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/ >>> OAuth2Util.java#L966-L972 >>> >>> On Tue, Jul 24, 2018 at 11:36 AM, Nuwan Dias <nuw...@wso2.com> wrote: >>> >>>> Do we know how IS generates the "iss" when issuing JWT tokens? We >>>> should try to leverage that so that we maintain consistency. Again, by >>>> making it backwards compatible too. >>>> >>>> On Mon, Jul 23, 2018 at 11:01 PM Malintha Amarasinghe < >>>> malint...@wso2.com> wrote: >>>> >>>>> Hi Nuwan, >>>>> >>>>> We can use a new config under <JWTConfiguration>. If it is not >>>>> specified, we can use the config from <RevokeAPIURL>. We can make that >>>>> config commented out when shipping. Also, the shipped (default) value can >>>>> be added as the token API URL (The same existing value). From these, >>>>> existing customers using backend JWT (not doing any changes here) won't >>>>> break. >>>>> >>>>> Do we allow using two different "iss" values for JWT access token and >>>>> backend JWT? In both cases, the issuer is the same, so ideally we can use >>>>> the same config. But anyone changing this value should be aware that it >>>>> will change both "iss" values. >>>>> >>>>> Thanks! >>>>> >>>>> On Mon, Jul 23, 2018 at 6:45 PM, Nuwan Dias <nuw...@wso2.com> wrote: >>>>> >>>>>> IMO the "iss" claim should be a configurable value. Reusing some >>>>>> other config such as the Revoke URL is not correct. >>>>>> >>>>>> IINM, when I went through the code I noticed that we use the same >>>>>> code to generate backend JWT's "iss" as well as /token API JWT's "iss". >>>>>> So >>>>>> whatever change we do has to be made in a backwards compatible way so >>>>>> that >>>>>> we don't break existing applications. >>>>>> >>>>>> On Mon, Jul 23, 2018 at 6:08 AM Malintha Amarasinghe < >>>>>> malint...@wso2.com> wrote: >>>>>> >>>>>>> + Dev >>>>>>> >>>>>>> On Mon, Jul 23, 2018 at 6:32 PM, Chamin Dias <cham...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> 1. When testing JWT with APIM 2.5.0 + ISKM 5.6.0 + Micro-GW 2.5.0, >>>>>>>> we faced an issue. >>>>>>>> >>>>>>>> *Setup details : Single node APIM Server (no port offset), ISKM >>>>>>>> (port offset 1), Default Micro-GW* >>>>>>>> >>>>>>>> 2. The issuer (iss) is picked from the <RevokeAPIURL> of >>>>>>>> api-manager.xml in ISKM pack after replacing "/revoke" -> "/token". The >>>>>>>> default value in ISKM pack is : https://localhost:${https.nio. >>>>>>>> port}/revoke >>>>>>>> >>>>>>>> 3. However, when consuming an API with a JWT token, the Micro-GW >>>>>>>> shows the below error. >>>>>>>> >>>>>>>> ERROR [ballerina/http] - Error while validating JWT token : >>>>>>>> {message:"No Registered IDP found for the JWT with issuer name : >>>>>>>> https://localhost:${https.nio.port}/token >>>>>>>> >>>>>>>> 4. When we decode the JWT (using https://jwt.io/), we found the >>>>>>>> "iss" as follows. (${https.nio.port} has not been resolved >>>>>>>> properly) >>>>>>>> >>>>>>>> "iss": "https://localhost:${https.nio.port}/token" >>>>>>>> >>>>>>>> 5. Then we edited the <RevokeAPIURL> of api-manager.xml in ISKM >>>>>>>> pack as follows. >>>>>>>> >>>>>>>> <RevokeAPIURL>https://localhost:8243/revoke</RevokeAPIURL> >>>>>>>> >>>>>>>> *Note* : In micro-gw.conf of Micro-GW 2.5.0, we have the following. >>>>>>>> >>>>>>>> [jwtTokenConfig] >>>>>>>> issuer="https://localhost:8243/token" >>>>>>>> audience="http://org.wso2.apimgt/gateway" >>>>>>>> certificateAlias="wso2apim" >>>>>>>> trustStore.path="${ballerina.home}/bre/security/ballerinaTru >>>>>>>> ststore.p12" >>>>>>>> trustStore.password="ballerina" >>>>>>>> >>>>>>>> 6. Then, after repeating the process, the API invocation was fine. >>>>>>>> >>>>>>>> According to the spec (https://tools.ietf.org/html/r >>>>>>>> fc7519#section-4.1.1), "iss" claim identifies the principal that >>>>>>>> issued the JWT. There is another option for this, which is the URL >>>>>>>> from IS "https://localhost:9444/oauth2/token". But having this in >>>>>>>> the JWT token can expose the IS internal oauth2 token URL. >>>>>>>> >>>>>>>> So shall we go with the https://localhost:8243 approach? >>>>>>>> >>>>>>>> In both cases, we need to hardcode the <RevokeAPIURL> as the port >>>>>>>> property is not resolved properly in non-synapse(IS) environment. >>>>>>>> >>>>>>>> Please share your thoughts. >>>>>>>> >>>>>>>> (Isuru/Malintha/Fazlan - Please add if I have missed anything.) >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> -- >>>>>>>> Chamin Dias >>>>>>>> Mobile : 0716097455 >>>>>>>> Email : cham...@wso2.com >>>>>>>> LinkedIn : https://www.linkedin.com/in/chamindias >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Malintha Amarasinghe >>>>>>> *WSO2, Inc. - lean | enterprise | middleware* >>>>>>> http://wso2.com/ >>>>>>> >>>>>>> Mobile : +94 712383306 >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Nuwan Dias >>>>>> >>>>>> Director - WSO2, Inc. http://wso2.com >>>>>> email : nuw...@wso2.com >>>>>> Phone : +94 777 775 729 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Malintha Amarasinghe >>>>> *WSO2, Inc. - lean | enterprise | middleware* >>>>> http://wso2.com/ >>>>> >>>>> Mobile : +94 712383306 >>>>> >>>> >>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Director - WSO2, Inc. http://wso2.com >>>> email : nuw...@wso2.com >>>> Phone : +94 777 775 729 >>>> >>> >>> >>> >>> -- >>> Malintha Amarasinghe >>> *WSO2, Inc. - lean | enterprise | middleware* >>> http://wso2.com/ >>> >>> Mobile : +94 712383306 >>> >> >> >> -- >> Nuwan Dias >> >> Director - WSO2, Inc. http://wso2.com >> email : nuw...@wso2.com >> Phone : +94 777 775 729 >> > > > > -- > Malintha Amarasinghe > *WSO2, Inc. - lean | enterprise | middleware* > http://wso2.com/ > > Mobile : +94 712383306 > -- Chamin Dias Mobile : 0716097455 Email : cham...@wso2.com LinkedIn : https://www.linkedin.com/in/chamindias
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev