Hello Marco,
You would need to look at the gateway logs to determine exact reason the jwt is being rejected but one item you can check I have seen cause this issue is to ensure your audience in the JWT claim matches your token endpoint
"aud":"https://<otk-hostname>:<otk-port>/auth/oauth/v2/token",
Attached is a sample service policy you can use to generate a client assertion JWT that will work with the OTK out of the box configuration.all you should need to do is set the client_id variable in the policy.
Original Message:
Sent: May 12, 2022 08:26 AM
From: Marco Trucillo
Subject: authenticating for OAuth2 via a JWT instead of client_id/ client_secret
Hello everyone,
I am trying to accomplish to obtain an OAuth2 token from API Gateway authenticating with a JWT signed tokeb.
The request is made in this way
grant_type= client_credentials & scope = oob & client_assertion_type = urn: ietf: params: oauth: client-assertion-type: jwt-bearer & client_assertion = xxxxxxxxx
where xxxxx is the JWT
I create the JWT this way
{
"iss": "44769950-00f8-4adb-bebf-0732011684c4"
"iat": 1652355987
"nbf": 1652353827
"exp": 1652356147
"aud": "https://xxx.xxx.xxx/"
"jti": "854167957"
"sub": "44769950-00f8-4adb-bebf-0732011684c4"
}
Then I signed it with my private key. The decoded payload of jwt is
{
"header": {
"typ": "JWT"
"alg": "RS256"
"kid": "0MtNnhCzZHQ6uahc3iFvfQOx_O6R_B2vlJRQU64XNUI"
}
"payload": {
"iss": "44769950-00f8-4adb-bebf-0732011684c4"
"iat": 1652355987
"nbf": 1652353827
"exp": 1652356147
"aud": "https://xxx.xxx.xxx/"
"jti": "854167957"
"sub": "44769950-00f8-4adb-bebf-0732011684c4"
}
}
where
44769950-00f8-4adb-bebf-0732011684c4
matches the client_id in the OAuth DB
the secret in the OAuth db looks like this
{ "keys": [ {
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "0MtNnhCzZHQ6uahc3iFvfQOx_O6R_B2vlJRQU64XNUI",
"alg": "RS256",
"n": "ijTOCgrGRuxz2bsHxYfyNLqPQKtBx4k2LaI9MvGYoYMttJjqa7Vt1z-oGi8DwUnP7FbD5br0VAGyNXPQXKQwaPUT7cxLw4mrNHp-JXGJddpR3s451GxtWEpbCsD2PI29wPwOfuBXdxI1CMSfoj25mzdq2OkXM9shCxCO89zdJ9VZxNPqYtt2TpdGVixo_ILGAPMDmFcd2wK9rF45V3QhfdC-fUs_HkOcFAgXsxnzlOsWbJp-3aT0mxQPftMHEDzctbf-jwmv37NqqVEBsFQH-QfltGPer-AiyG5UAFYqQHZ4wRTYtJCT8OcNTlJYeOUuIuRIiF8RGaICHikbaU6atw"
} ] }
where kid value match kid value of my JWT header.
If I tried in this way, I receive this error:
{ "error": "invalid client", "error_description":"The given JWT for client authenticatin is invalid." }
Where I'm wrong ?
Thanks in advance
Marco