Layer7 API Management

 View Only
  • 1.  OAuth2, grant_type = client_credentials with JWT authententication

    Posted May 12, 2022 03:27 PM
    Hello everyone,
    I am trying to accomplish to obtain from Layer7 API Gateway a OAUTH2 Token using a JWT signed token as credential.

    The request is made in this way

    grant_type=client_credentials&scope=oob&client_assertion_type=urn:ietf: params:oauth: client-assertion-type:jwt-bearer&client_assertion=xxxxxxxxx

    where xxxxx is the my JWT signed with my private key.

    I create the JWT this way

    {
    "header": {
    "typ": "JWT"
    "alg": "RS256"
    "kid": "0MtNnhCzZHQ6uahc3iFvfQOx_O6R_B2vlJRQU64XNUI"
    }
    "payload": {
    "iss": "44769950-00f8-4adb-bebf-0732011684c4"
    "iat": 1652355987
    "nbf": 1652353827
    "exp": 1652356147
    "aud": "https://xxx.xxx.xxx/"
    "jti": "854167957"
    "sub": "44769950-00f8-4adb-bebf-0732011684c4"
    }
    }


    where 

    44769950-00f8-4adb-bebf-0732011684c4

    matches the client_id in the OAuth DB

    the secret in the OAuth db looks is like this

    { "keys": [ {
    "kty": "RSA",
    "e": "AQAB",
    "use": "sig",
    "kid": "0MtNnhCzZHQ6uahc3iFvfQOx_O6R_B2vlJRQU64XNUI",
    "alg": "RS256",
    "n": "ijTOCgrGRuxz2bsHxYfyNLqPQKtBx4k2LaI9MvGYoYMttJjqa7Vt1z-oGi8DwUnP7FbD5br0VAGyNXPQXKQwaPUT7cxLw4mrNHp-JXGJddpR3s451GxtWEpbCsD2PI29wPwOfuBXdxI1CMSfoj25mzdq2OkXM9shCxCO89zdJ9VZxNPqYtt2TpdGVixo_ILGAPMDmFcd2wK9rF45V3QhfdC-fUs_HkOcFAgXsxnzlOsWbJp-3aT0mxQPftMHEDzctbf-jwmv37NqqVEBsFQH-QfltGPer-AiyG5UAFYqQHZ4wRTYtJCT8OcNTlJYeOUuIuRIiF8RGaICHikbaU6atw"
    } ] }

    That is public key of that one which I signed my token.

    But I receive this error 

    {
    "error": "invalid client",
    "error_description": "The given JWT for client authentication is invalid."
    }

    where I'm wrong ?

    Thanks in advance
    Marco


  • 2.  RE: OAuth2, grant_type = client_credentials with JWT authententication

    Broadcom Employee
    Posted May 16, 2022 11:29 AM
    This is a duplicate it was answered in other post authenticating for OAuth2 via a JWT instead of client_id/ client_secret