JWT Authentication is not working due to invalid certificate selection from client-truststore

[TomasTokaMrazek]

We set up custom hostname with proper certificate generated from trusted CA authority.

I can sucessfully generate JWT token from API Gateway. It's header property "x5t" is SHA-1 fingerprint.

In system directory /repository/resources/security there are two JKS.

• wso2carbon.jks – with private/public key pair alias named wso2carbon
• client-truststore.jks – with certificate alias named wso2carbon

both wso2carbon entries have the same fingerprint as specified in JWT header property. Yet the API call response is Invalid JWT token. Signature verification failed.

Is there any configuration we could've missed or is it a bug?

[tmkasun]

What is the API Manager version that you are using ?

[TomasTokaMrazek]

@tmkasun 3.0.0. AFAIK using JWT token instead of Oauth2 is a new feature introduced. I'm talking about "Token Type"

[TomasTokaMrazek]

In our environment we switched back to OAUTH token type, which works as expected. JWT Token Type is the one we had issues with.

[imchivaa]

Hi,

we also facing the same issue, using v3.1.0-m2 release.
We getting below error after generate the JWT token from application and invoke the api

<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
    <ams:code>900901</ams:code>
    <ams:message>Invalid Credentials</ams:message>
    <ams:description>Invalid JWT token. Signature verification failed.. Make sure you have provided the correct security credentials</ams:description>
</ams:fault>

Subsequent invoke print this log:

TID: [-1234] [] [2019-12-05 15:03:05,267] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator} - Invalid JWT token. XXXXXfVgQW9bdmg
TID: [-1234] [] [2019-12-05 15:03:05,270]  WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure due to Invalid Credentials

As OP mentioned, OAuth works fine. Just having issue with JWT.

Any update on this issue?
Thanks.

[imchivaa]

Ah, it's okay.

I solved this by following this link from the documentation:
https://apim.docs.wso2.com/en/latest/Learn/APISecurity/OAuth2DeepDive/AccessTokenTypes/jwt-tokens/#importing-the-public-certificate-into-the-client-trust-store

Thanks.

[TomasTokaMrazek]

Looks like the issue is due to specific alias gateway_certificate_alias – that's what I actually found in source code. I'll test it, thank you @imchivaa for linking the updated documentation

[TomasTokaMrazek]

Documentation

[ViktorHSN]

Hello,
I am still having a similar problem to this.
I am using a third party IDP as the keymanager (keycloak based IDP)
I´ve imported the public certificate to the truststore under the gateway_certificate_alias.

However in the third party keymanager docs, under the "extending key validation handler" section states that token validation is done in getTokenMetaData() method, which is never called in my setup. Am I missing any configuration step? I need this method to get called so I my IDP can validate the token.

[PrabakaranTS]

I'm also facing the same issue. We are using APIm 3.1.0 and IS-KM 5.10.0. We have imported the certificate of IS-KM to APIm with gateway_certificate_alias and restarted but still, the issue is not resolved.

[ViktorHSN]

Hello, I got it working, In my case, I had to import the public certificate of the Realm in RH-SSO which signed the jwt token under an alias corresponding to its KID.

Good news is that WSO2 APIM 3.2.0, the newest version at the time of this writing, suports adding keymanager via its admin interface, which makes the process easier, but I still had to import the certificate as I stated above.