Invalid_token on APIM after upgrading AM

[amitassa]

Hi, In our organization, we use Access Management to generate access tokens and use them to authorize to API Management.

Lately we created our Access Management instance in order to solve an authentication issue that reported here and fixed in previous version. The upgrade caused another problem, the access tokens are now unacceptable by the APIM. Old AM Version: 3.0.3 New AM Version: 3.20 APIM Version: 3.0.3

After some digging, I saw that there are some changes inside the JWT token: 1. The domain value mentioned as UUID on AM 3.20, instead of the domain name on AM 3.0.3 2. The iss url now contains the port (even though it is not mentioned anywhere), and before every '/' there`s a '' ( new version: https://AM-FQDN:443/domain-name/oidc old version: https://AM-FQDN:443/domain-name/oidc ) Both changes appear only on the new version

Those might cause the error:

[vert.x-eventloop-thread-0] [] ERROR i.v.c.h.imp1.HttpClientResponseImp1 - java.lang.IllegalArgumentException: only ' ' and \t are allowd after '\n': Bearer realm=gravitee.io

{ "error": "invalid_token", "error_description": "Invalid or unknown client for this token"}

Now the new AM JWT is not acceptable by the APIM

We`ll be happy for help to solve this issue (preferring without upgrading the APIM instance)

Thanks!

[remisultan]

Hello @amitassa !

Thanks for sharing this with us. Would you mind sharing the configuration of APIM and AM (excluding sensitive information of course) ?

That would definitely help us identifiying the issue. Thank you !

[amitassa]

Hi @remisultan!

which configuration are you looking for?

On AM: IDP of LDAP using name as sAMAccountName One Web Application: IDP: using this LDAP provider OAuth2.0/OIDC settings: Refresh Token & Password grants, openid scope, token times: [10800, 259200,14400], Public/ Confidential - empty ("Change the token auth method") Also using client ID & Client secret within the request headers

APIM: I`m guessing that you need the configuration related to authentication So every endpoint has OpenID Connect - UserInfo policy , using the resource below, and Extract UserInfo payload checked resource: Server URL - AM Gateway URL Version V2_X domain - relevant domain client ID & secret - sensitive user claim - sub

[remisultan]

@amitassa thank you

To make sure we understand. You are using AM to secure APIM endpoints and not for organisation user authentication of APIM correct ?

[amitassa]

@remisultan Actually we our use is kind of both securing (for openid connection) and authenticating with domain user, so I can`t give you yes or no answer for this one..