-
Notifications
You must be signed in to change notification settings - Fork 765
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT Authentication is not working due to invalid certificate selection from client-truststore #6833
Comments
What is the API Manager version that you are using ? |
@tmkasun 3.0.0. AFAIK using JWT token instead of Oauth2 is a new feature introduced. I'm talking about "Token Type" |
In our environment we switched back to OAUTH token type, which works as expected. JWT Token Type is the one we had issues with. |
Hi, we also facing the same issue, using v3.1.0-m2 release.
Subsequent invoke print this log:
As OP mentioned, OAuth works fine. Just having issue with JWT. Any update on this issue? |
Ah, it's okay. I solved this by following this link from the documentation: Thanks. |
Looks like the issue is due to specific alias |
I'm also facing the same issue. We are using APIm 3.1.0 and IS-KM 5.10.0. We have imported the certificate of IS-KM to APIm with gateway_certificate_alias and restarted but still, the issue is not resolved. |
Hello, I got it working, In my case, I had to import the public certificate of the Realm in RH-SSO which signed the jwt token under an alias corresponding to its KID. Good news is that WSO2 APIM 3.2.0, the newest version at the time of this writing, suports adding keymanager via its admin interface, which makes the process easier, but I still had to import the certificate as I stated above. |
We set up custom hostname with proper certificate generated from trusted CA authority.
I can sucessfully generate JWT token from API Gateway. It's header property "x5t" is SHA-1 fingerprint.
In system directory
/repository/resources/security
there are two JKS.wso2carbon.jks
– with private/public key pair alias namedwso2carbon
client-truststore.jks
– with certificate alias namedwso2carbon
both
wso2carbon
entries have the same fingerprint as specified in JWT header property. Yet the API call response isInvalid JWT token. Signature verification failed.
Is there any configuration we could've missed or is it a bug?
The text was updated successfully, but these errors were encountered: