wso2 api manager 3.1.0 jwks is not returning kid used to generate a token

1
votes

After upgrade from wso2 api manager 3.0.0 to 3.1.0 I'm facing the issue with validation of JWT token which is generated by wso2 to access backend API:

Configuration in deployment.toml

[apim.jwt]
enable = true
encoding = "base64" # base64,base64url
generator_impl = "DefaultJWTGenerator" #example
claim_dialect = "http://wso2.org/claims"
header = "Authorization"
signing_algorithm = "SHA256withRSA"
enable_user_claims = true
claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever"

kid which is added to generated token is missing in response from /oauth2/jwks url.

for example header of generated token: 

  "typ": "JWT",
  "alg": "RS256",
  "kid": "ODFjMzAxZjhmNzY2MDBhOTBlNDYwNGY2Yzc1MWM1YjgzYzJmYTJlMA"
}

response from /oauth2/jwks:

{"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"M2Y4OGJhNzhlMzJiNzgwMjU3NDBmNTc3ZWIyNDNlMTQyYmQwM2JhZWIyNjgxODNlNGE4ODAwMTAyYWRmODI4Yg_RS256","alg":"RS256","n":"1n880ZJW22CKADeTMLm-d1K75fuUqu6ciV9-iw3kAfmevx_SMxpv5Gm7nj_t5HeXZcBKIhOQT-wZwdaZcEQBSEwXDOgNrGM4upYzGwqm6Q_lg7tAlpz_7zpJlf_buOlUwz0Fsbnuw25cYhMg67P1mSIQ8MuhfZ3mG_WScitDcGKKgNC0-9U6FN2txiauf2dVZzoSUrQLOvFhYmSO9z-Leb9pnhGLCPjXcStAoaHtI-F8yUXB-N-x1z0C1bp0KzaIPCIRdc5sy_8CYrAKVjp4bnuoaC5n5v3ciLTvBlvw5gvDMtLDdsmR4vmoBt2uz5_iEHMBEgb7q2ouwpDm2ER0PQ"}]}

I can see that kid in token is coming from wso2carbon key in keystore.jks file. But can not find where key in jwks is coming from.

1
wso2jwtwso2-am

1 Answers

2
votes

The problem was that kid generation was changed from SHA-1 to SHA-256. if you have same problem you can customize JWT token generation and put kid using code below:

String certThumbPrint = OAuth2Util.getThumbPrint(tenantDomain, tenantId);
JWSAlgorithm accessTokenSignAlgorithm = OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(signatureAlgorithm);
String kid = OAuth2Util.getKID(certThumbPrint, accessTokenSignAlgorithm);