WSO2 APIM - Issue with sub claim using client credential approach

1
votes

I am trying to generate JWT from WSO2 token endpoint using password and client credentials approach but not finding difference in sub claim value. Its always pointing to user id only, shouldn't it have application id/client id in sub claim for JWT generated using client credential approach ?

ex:

  1. Token obtained using password grant:

Request:

POST https://localhost:8243/token HTTP/1.1

Content-Type: application/x-www-form-urlencoded
Authorization: Basic UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
Host: localhost:8243
Content-Length: 53

grant_type=password&username=api3dev&password=api3dev

JWT in response {"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="} {"aud":"http://org.wso2.apimgt/gateway","sub":"[email protected]","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null},"scope":"default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach":true,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context":"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502664,"iat":1600499064,"jti":"426d64a9-932b-4f0c-b396-202fd03dd960"}

  1. Token obtained using client credential:

Request:

POST https://localhost:8243/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
Host: localhost:8243
Content-Length: 29

grant_type=client_credentials

JWT in response {"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="} {"aud":"http://org.wso2.apimgt/gateway","sub":"[email protected]","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null},"scope":"am_application_scope default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach":true,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context":"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502788,"iat":1600499188,"jti":"8091497e-9978-4541-99b9-efca50b16868"}

In above example you can see sub claim is always having user id only.

1
wso2wso2-amapim
what is the API-M version you are using? Yes, ideally the sub claim value for tokens obtained using client credentials should be client id. In API-M 3.2 the JWTTokenIssuer of WSO2 IS is used, hence this should be fixed in github.com/wso2-extensions/identity-inbound-auth-oauth. Please create a git issue.DuW

1 Answers

1
votes

In WSO2 API Manager when you generating an access_token with client_credentials, sub claim is populated with the owner of the application (service provider). I am not sure that in client credentials the sub claim should be populated with client_id of the Oauth2 application, thought client credentials is a machine-machine authz process without user credentials, so sub (subject) claim should be a user, in this case the owner. For me it is a correct value.