Layer7 API Management

 View Only
  • 1.  authenticating for OAuth2 via a JWT instead of client_id/ client_secret

    Posted May 12, 2022 03:27 PM

    Hello everyone,

    I am trying to accomplish to obtain an OAuth2 token from API Gateway authenticating  with a JWT signed tokeb.

    The request is made in this way

    grant_type= client_credentials & scope = oob & client_assertion_type = urn: ietf: params: oauth: client-assertion-type: jwt-bearer & client_assertion = xxxxxxxxx

    where xxxxx is the JWT

    I create the JWT this way

    {
    "iss": "44769950-00f8-4adb-bebf-0732011684c4"
    "iat": 1652355987
    "nbf": 1652353827
    "exp": 1652356147
    "aud": "https://xxx.xxx.xxx/"
    "jti": "854167957"
    "sub": "44769950-00f8-4adb-bebf-0732011684c4"
    }

    Then I signed it with my private key. The decoded payload of jwt is 
    {
    "header": {
    "typ": "JWT"
    "alg": "RS256"
    "kid": "0MtNnhCzZHQ6uahc3iFvfQOx_O6R_B2vlJRQU64XNUI"
    }
    "payload": {
    "iss": "44769950-00f8-4adb-bebf-0732011684c4"
    "iat": 1652355987
    "nbf": 1652353827
    "exp": 1652356147
    "aud": "https://xxx.xxx.xxx/"
    "jti": "854167957"
    "sub": "44769950-00f8-4adb-bebf-0732011684c4"
    }
    }


    where 

    44769950-00f8-4adb-bebf-0732011684c4

    matches the client_id in the OAuth DB

    the secret in the OAuth db looks like this

    { "keys": [ {
    "kty": "RSA",
    "e": "AQAB",
    "use": "sig",
    "kid": "0MtNnhCzZHQ6uahc3iFvfQOx_O6R_B2vlJRQU64XNUI",
    "alg": "RS256",
    "n": "ijTOCgrGRuxz2bsHxYfyNLqPQKtBx4k2LaI9MvGYoYMttJjqa7Vt1z-oGi8DwUnP7FbD5br0VAGyNXPQXKQwaPUT7cxLw4mrNHp-JXGJddpR3s451GxtWEpbCsD2PI29wPwOfuBXdxI1CMSfoj25mzdq2OkXM9shCxCO89zdJ9VZxNPqYtt2TpdGVixo_ILGAPMDmFcd2wK9rF45V3QhfdC-fUs_HkOcFAgXsxnzlOsWbJp-3aT0mxQPftMHEDzctbf-jwmv37NqqVEBsFQH-QfltGPer-AiyG5UAFYqQHZ4wRTYtJCT8OcNTlJYeOUuIuRIiF8RGaICHikbaU6atw"
    } ] }


    where  kid value match kid value of my JWT header.

    If I tried in this way, I receive this error: 

    { "error": "invalid client", "error_description":"The given JWT for client authenticatin is invalid." }


    Where I'm wrong ?

    Thanks in advance
    Marco



  • 2.  RE: authenticating for OAuth2 via a JWT instead of client_id/ client_secret

    Broadcom Employee
    Posted May 13, 2022 10:50 AM
      |   view attached
    Hello Marco,

    You would need to look at the gateway logs to determine exact reason the jwt is being rejected but one item  you can check I have seen cause this issue is to ensure your audience  in the JWT claim matches your token endpoint 

    "aud":"https://<otk-hostname>:<otk-port>/auth/oauth/v2/token",

    Attached is a sample service policy you can use to generate a client assertion JWT that will work with the OTK out of the box configuration.all you should  need to do is set the client_id variable in the policy.

    Attachment(s)



  • 3.  RE: authenticating for OAuth2 via a JWT instead of client_id/ client_secret

    Posted May 16, 2022 03:46 AM
    Thank you Berry!
    It was precisely because of the "audience" mismatch

    However is my token-endpoint is published in two ways
    • https://api.intranet.domain.tld
    • https://api.domain.tld
    but it only works if I put it on the audience "https: //api.intranet.domain.tld"  even if I then request the token to https://api.domain.tld




  • 4.  RE: authenticating for OAuth2 via a JWT instead of client_id/ client_secret

    Broadcom Employee
    Posted May 16, 2022 11:28 AM
    Glad that addressed your issue.

    aud claim  in the JWT must contains the authorization server token endpoint. 

    The token endpoint is defined in your OTK configuration from the host_oauth2_auth_server parameter which defaults to cluster.hostname CWP.  It is also what is published in your OIDC discovery https://<otk-hostname>:<otk-port>/.well-known/openid-configuration