Layer7 API Management

 View Only
  • 1.  authenticating for OAuth2 via a JWT instead of client_id/ client_secret

    Posted 12 days ago

    Hello everyone,

    I am trying to accomplish to obtain an OAuth2 token from API Gateway authenticating  with a JWT signed tokeb.

    The request is made in this way

    grant_type= client_credentials & scope = oob & client_assertion_type = urn: ietf: params: oauth: client-assertion-type: jwt-bearer & client_assertion = xxxxxxxxx

    where xxxxx is the JWT

    I create the JWT this way

    {
    "iss": "44769950-00f8-4adb-bebf-0732011684c4"
    "iat": 1652355987
    "nbf": 1652353827
    "exp": 1652356147
    "aud": "https://xxx.xxx.xxx/"
    "jti": "854167957"
    "sub": "44769950-00f8-4adb-bebf-0732011684c4"
    }

    Then I signed it with my private key. The decoded payload of jwt is
    {
    "header": {
    "typ": "JWT"
    "alg": "RS256"
    "kid": "0MtNnhCzZHQ6uahc3iFvfQOx_O6R_B2vlJRQU64XNUI"
    }
    "payload": {
    "iss": "44769950-00f8-4adb-bebf-0732011684c4"
    "iat": 1652355987
    "nbf": 1652353827
    "exp": 1652356147
    "aud": "https://xxx.xxx.xxx/"
    "jti": "854167957"
    "sub": "44769950-00f8-4adb-bebf-0732011684c4"
    }
    }


    where

    44769950-00f8-4adb-bebf-0732011684c4

    matches the client_id in the OAuth DB

    the secret in the OAuth db looks like this

    { "keys": [ {
    "kty": "RSA",
    "e": "AQAB",
    "use": "sig",
    "kid": "0MtNnhCzZHQ6uahc3iFvfQOx_O6R_B2vlJRQU64XNUI",
    "alg": "RS256",
    "n": "ijTOCgrGRuxz2bsHxYfyNLqPQKtBx4k2LaI9MvGYoYMttJjqa7Vt1z-oGi8DwUnP7FbD5br0VAGyNXPQXKQwaPUT7cxLw4mrNHp-JXGJddpR3s451GxtWEpbCsD2PI29wPwOfuBXdxI1CMSfoj25mzdq2OkXM9shCxCO89zdJ9VZxNPqYtt2TpdGVixo_ILGAPMDmFcd2wK9rF45V3QhfdC-fUs_HkOcFAgXsxnzlOsWbJp-3aT0mxQPftMHEDzctbf-jwmv37NqqVEBsFQH-QfltGPer-AiyG5UAFYqQHZ4wRTYtJCT8OcNTlJYeOUuIuRIiF8RGaICHikbaU6atw"
    } ] }


    where  kid value match kid value of my JWT header.

    If I tried in this way, I receive this error:

    { "error": "invalid client", "error_description":"The given JWT for client authenticatin is invalid." }


    Where I'm wrong ?

    Thanks in advance
    Marco



  • 2.  RE: authenticating for OAuth2 via a JWT instead of client_id/ client_secret

    Broadcom Employee
    Posted 11 days ago
      |   view attached
    Hello Marco,

    You would need to look at the gateway logs to determine exact reason the jwt is being rejected but one item  you can check I have seen cause this issue is to ensure your audience  in the JWT claim matches your token endpoint

    "aud":"https://<otk-hostname>:<otk-port>/auth/oauth/v2/token",

    Attached is a sample service policy you can use to generate a client assertion JWT that will work with the OTK out of the box configuration.all you should  need to do is set the client_id variable in the policy.

    Attachment(s)



  • 3.  RE: authenticating for OAuth2 via a JWT instead of client_id/ client_secret

    Posted 8 days ago
    Thank you Berry!
    It was precisely because of the "audience" mismatch

    However is my token-endpoint is published in two ways
    • https://api.intranet.domain.tld
    • https://api.domain.tld
    but it only works if I put it on the audience "https: //api.intranet.domain.tld"  even if I then request the token to https://api.domain.tld




  • 4.  RE: authenticating for OAuth2 via a JWT instead of client_id/ client_secret

    Broadcom Employee
    Posted 8 days ago
    Glad that addressed your issue.

    aud claim  in the JWT must contains the authorization server token endpoint.

    The token endpoint is defined in your OTK configuration from the host_oauth2_auth_server parameter which defaults to cluster.hostname CWP.  It is also what is published in your OIDC discovery https://<otk-hostname>:<otk-port>/.well-known/openid-configuration