Generated JWT doesn't seem to include scopes

[wx-yz]

Description: I'm following the docs and I can't seem to invoke the httpbin API after creating a JWT. Created an application and I'm selecting scopes before generating the JWT.

Generated JWT,

When I try to invoke the API, I'm getting unclassified authentication error,

% curl http://localhost:32004/httpbin/1.0.0/headers -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5UQXhabU14TkRNeVpEZzNNVFUxWkdNME16RXpPREpoWldJNE5ETmxaRFUxT0dGa05qRmlNUSJ9.eyJhdWQiOiJodHRwOlwvXC9vcmcud3NvMi5hcGltZ3RcL2dhdGV3YXkiLCJzdWIiOiJhZG1pbiIsImFwcGxpY2F0aW9uIjp7ImlkIjoyLCJuYW1lIjoiQXBwMVdfSldUIiwidGllciI6IlVubGltaXRlZCIsIm93bmVyIjoiYWRtaW4ifSwic2NvcGUiOiJhbV9hcHBsaWNhdGlvbl9zY29wZSBkZWZhdWx0IiwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwia2V5dHlwZSI6IlBST0RVQ1RJT04iLCJzdWJzY3JpYmVkQVBJcyI6W3sibmFtZSI6Ikh0dHBCaW5BcGkiLCJjb250ZXh0IjoiXC9odHRwYmluXC8xLjAuMCIsInZlcnNpb24iOiIxLjAuMCIsInB1Ymxpc2hlciI6ImFkbWluIiwic3Vic2NyaXB0aW9uVGllciI6IkJyb256ZSIsInN1YnNjcmliZXJUZW5hbnREb21haW4iOiJjYXJib24uc3VwZXIifV0sImNvbnN1bWVyS2V5IjoiUWZGNUltQUxHMHFKVXZmQUtiZTF6VVpqVWs0YSIsImV4cCI6MTU3NjgyMDc3MiwiaWF0IjoxNTc2ODE3MTcyNjc5LCJqdGkiOiJmNDkyYTQyNS02M2UwLTRkZDItYjU3MC1hYTJkYmRhOTRiNjkifQ==.deQVHwlc2KySgXY1ZlQkeB0Od58hw07YKYA94i62pyTAmVdqFZz4OetOz_-O26F2GsNyQ4BSui3Fkg-xQS3cH3tO7Tsu38HGzWvK8b2V6CqJVL_Ees18opm7bewty0A8c2rjnJ34cKHcjTiRh0LPq_gNFN_MJFsbxFzdHvQOYM4h6X2jWWUS109d_6bjnWNdPY3oXNjOu9hx6UFn_9Lv2CaNio477mSfb4jXy1DeRncjlwA-1nFYfQ9xKHo8daZcwhr_g_SIxi_T2ofUU2HyaRrqAs-riXGb4lYRppNDzG8wJX-ImvkavAuW0gTo-rvhp7h6ozb-b0XZl9mXM-lNnw=="

<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>0</ams:code><ams:message>Unclassified Authentication Failure</ams:message><ams:description>Access failure for API: /httpbin/1.0.0, version: 1.0.0 status: (0) - Unclassified Authentication Failure</ams:description></ams:fault>%

Backend error,

[2019-12-20 04:48:19,099] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /httpbin/1.0.0, version: 1.0.0 status: (0) - Unclassified Authentication Failure
    at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:256)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:210)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:158)
    at org.apache.synapse.rest.API.process(API.java:325)
    at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149)
    at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
    at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

After enabling debugging for org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator, the generated log seems to be not readable,

[2019-12-20 04:46:12,681] DEBUG - APIMJWTGenerator signed assertion value : u�  \ج��v5fT$xw�!�N�)�=�.��$��Wj��9�N���ۡv�rC�R�-Œ�A-�{N�;.����k����$[��\��`�!�}�Ye�O]���c]=��\�λ�q�Ag����&���;�d�o���P�Fw#�>�qX}q(z<u�\�����/�ڇ�Sa�i�ϫ�q��V��C�o0%����
                                                                                                      �����᧸z�6�oEٗٗ3�M�

Affected Product Version:

wso2am-istio-1.0

% istioctl version
version.BuildInfo{Version:"1.1.17", GitRevision:"149c2fc74f0af60e8dedb6d69d58f1bbab3e0ec4", User:"root", Host:"a3952397-ef79-11e9-842f-2a0912242356", GolangVersion:"go1.12.9", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.16-2-g149c2fc"}

% kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:16:51Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:07:57Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}

[pubudu538]

Hi @wx-yz,

Did you add the role when adding the scope? If not please add the role when adding the scope. Then demote the API and republish again to apply the changes to the Istio.

Thank you! Pubudu.

[wx-yz]

Hi @pubudu538 I added the admin role but still I get the same error. Also from the UI it doesn't seem like the role is mandatory. Only the scope key and name are mandatory.

I added roles and demoted and republished the API. However, I get the same exception. Then I created another API, added scopes with admin role, subscribed using a new application, generated the token but still get the same exception.

New token does seem to have the correct scopes.

Invoking the API,

% curl http://localhost:32004/binapi/1.0.0/headers -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5UQXhabU14TkRNeVpEZzNNVFUxWkdNME16RXpPREpoWldJNE5ETmxaRFUxT0dGa05qRmlNUSJ9.eyJhdWQiOiJodHRwOlwvXC9vcmcud3NvMi5hcGltZ3RcL2dhdGV3YXkiLCJzdWIiOiJhZG1pbiIsImFwcGxpY2F0aW9uIjp7ImlkIjozLCJuYW1lIjoiQXBwMkpXVCIsInRpZXIiOiJVbmxpbWl0ZWQiLCJvd25lciI6ImFkbWluIn0sInNjb3BlIjoiYW1fYXBwbGljYXRpb25fc2NvcGUgaGVhZGVyX3Njb3BlIGlwX3Njb3BlIiwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwia2V5dHlwZSI6IlBST0RVQ1RJT04iLCJzdWJzY3JpYmVkQVBJcyI6W3sibmFtZSI6IkJpbkFQSSIsImNvbnRleHQiOiJcL2JpbmFwaVwvMS4wLjAiLCJ2ZXJzaW9uIjoiMS4wLjAiLCJwdWJsaXNoZXIiOiJhZG1pbiIsInN1YnNjcmlwdGlvblRpZXIiOiJCcm9uemUiLCJzdWJzY3JpYmVyVGVuYW50RG9tYWluIjoiY2FyYm9uLnN1cGVyIn1dLCJjb25zdW1lcktleSI6IkxHX2c3ZlRmQXppcmZSeldRa3VLZkJBamRBQWEiLCJleHAiOjE1NzY4NzE0MjcsImlhdCI6MTU3Njg2NzgyNzgxMiwianRpIjoiMWUxNzgxODMtYTQ0Yy00N2VmLThhNjgtNjU4NjVkNDdmOWVhIn0=.ewhra-159W5Z2q6pNOVZwsDpuzxr7Dq-DY7hwGjGuUvKaCcHGlQhIDY_0wzmnf7o8davstdchAIxcy_sjV-R6s_CISA-I9SXJrgOL5kcX4HHvGiKAEBS_dPf9xt__SRWq--PZvPlu-ZdFct1iPNo5rwNSrGu4aWha8CLQOcd5_AormlbdhaPQEGewEl8xuPSph6cX_AkE6I7eMqKpcjWC3DK9jfT2z3YsjfE7I3MZvlJ8OVTApCI079hTRFVjafh4wfgNsELDGX8bJg8kK2R78nalaH8XOhdVdF-mXd_galXWI7VKO56Hqkk-bt7xUwnYe3yhmBIPUxIN6uR7r6ntw=="
<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>0</ams:code><ams:message>Unclassified Authentication Failure</ams:message><ams:description>Access failure for API: /binapi/1.0.0, version: 1.0.0 status: (0) - Unclassified Authentication Failure</ams:description></ams:fault>%

Backend error,

[2019-12-20 18:50:53,434] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /binapi/1.0.0, version: 1.0.0 status: (0) - Unclassified Authentication Failure
    at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:256)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:210)
    at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:158)
    at org.apache.synapse.rest.API.process(API.java:325)
    at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149)
    at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
    at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

[pubudu538]

Hi @wx-yz,

Are you trying the Istio Integration? If it is Istio integration, in this case our gateway is not used. Instead of the WSO2 gateway, ingress gateway is used. Please check https://github.com/wso2/istio-apim#step-62---access-the-service. When the request goes through the Ingress gateway, from the mixer plugin it applies the authentication, API subscription validation, metrics, etc.

In APIM 2.6.0, we don't support invoking the API using a JWT token in WSO2 Gateway. In the latest version which is APIM v3.0.0, this is supported. Basically JWT token generation is there in APIM 2.6.0 for API microgateway.

Thank you! Pubudu.