WSO2 Identity Server JWT Bearer

1
votes

I have installed and configured JWT Grant Type in WSO2 IS 5.3.0 following this guide Then I have configured a Service Provider enabling the OAuth/OpenID Connect Inbound Authenticator. I am able from a javascript client to authenticate the user exploiting the Oauth 2 protocol with open-id scope obtaining a valid JWT token (JWTToken).

Finally I tried to make a POST request to https://****/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=JWTToken using a REST Client and setting Content-Type=application/x-www-form-urlencoded.

When I do the request the WSOIS Server asks for a username and a password. I am able to pass this step providing a valid clientId and clientSecret.

Unfortunately at this point the server dos not reply with an access token but with a 400 Bad Request and in the response body writes "{"error_description":"Error occurred while decoding public certificate of Identity Provider default for tenant domain carbon.super","error":"invalid_grant"}"

I can't understand if the problem is the JWT Token that I pass to the server or if there is some issues with the certificates. Any help please?

1
oauth-2.0wso2jwtaccess-tokenwso2is

1 Answers

3
votes

Okay. I think this should help you.

If you take the OpenID connect token you got from WSO2 Identity Server and put it in jwt.io you would see that the openID connect will have the "iss" (issuer) value of "https://localhost:9443/oauth2/token" (replace localhost with your hostname if you have set the hostname) which is the token endpoint of WSO2 Identity Server.

So when you use this token as a JWT Bearer grant, in order to validate the signature the grant handler tries to retrieve an IDP with the name given in the issuer(iss) field (ie. token endpoint of WSO2 Identity Server). As it fails to find any identity provider it retrieves the default identity provider (note this is a dummy IDP added for sake of backward compatibility) which doesn't have any certificate. (you can find this under $IS_HOME/repository/conf/identity/identity-providers/default.xml)

So there are two ways to fix this,

  1. Change the issuer value of Identity Server so that it can fetch the certifcate of it's resident identity provider.

    To do this, Login to the management console,

Go to Identity Provider --> Resident --> Inbound Authentication Configuration --> OAuth2/OpenID Connect Configuration --> set the 'Identity Provider Entity Id' value as LOCAL

  1. Create a new Identity Provider with the name equal issuer value of the OpenID connect token (ie. the token endpoint) and upload the public certificate that could be used to verify the OpenID connect token.

Personally, I prefer the first solution :)

Update:

You also need to do one more change,

In identity.xml (found under repository/conf/identity) uncomment the following lines 

<Audiences> 
    <Audience>
        ${carbon.protocol}://${carbon.host}:${carbon.manag‌​ement.port}/oauth2/t‌​oken
    </Audience> 
</Audiences>

This will make sure that the audience validation check will pass for the issued OpenID connect token when used as a JWT bearer grant. (ie. the JWT Grant handler will validate whether the token endpoint is one of the audiences in the provided grant)