tmkasun
commented
4 years ago What is the API Manager version that you are using ?
Closed TomasTokaMrazek closed 1 week ago
tmkasun
commented
4 years ago What is the API Manager version that you are using ?
TomasTokaMrazek
commented
4 years ago @tmkasun 3.0.0. AFAIK using JWT token instead of Oauth2 is a new feature introduced. I'm talking about "Token Type"
TomasTokaMrazek
commented
4 years ago In our environment we switched back to OAUTH token type, which works as expected. JWT Token Type is the one we had issues with.
imchivaa
commented
4 years ago Hi,
we also facing the same issue, using v3.1.0-m2 release. We getting below error after generate the JWT token from application and invoke the api
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900901</ams:code>
<ams:message>Invalid Credentials</ams:message>
<ams:description>Invalid JWT token. Signature verification failed.. Make sure you have provided the correct security credentials</ams:description>
</ams:fault>Subsequent invoke print this log:
TID: [-1234] [] [2019-12-05 15:03:05,267] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator} - Invalid JWT token. XXXXXfVgQW9bdmg
TID: [-1234] [] [2019-12-05 15:03:05,270] WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure due to Invalid CredentialsAs OP mentioned, OAuth works fine. Just having issue with JWT.
Any update on this issue? Thanks.
imchivaa
commented
4 years ago Ah, it's okay.
I solved this by following this link from the documentation: https://apim.docs.wso2.com/en/latest/Learn/APISecurity/OAuth2DeepDive/AccessTokenTypes/jwt-tokens/#importing-the-public-certificate-into-the-client-trust-store
Thanks.
TomasTokaMrazek
commented
4 years ago Looks like the issue is due to specific alias gateway_certificate_alias – that's what I actually found in source code. I'll test it, thank you @imchivaa for linking the updated documentation
TomasTokaMrazek
commented
4 years ago 
ViktorHSN
commented
4 years ago Hello,
I am still having a similar problem to this.
I am using a third party IDP as the keymanager (keycloak based IDP)
I´ve imported the public certificate to the truststore under the gateway_certificate_alias.
However in the third party keymanager docs, under the "extending key validation handler" section states that token validation is done in getTokenMetaData() method, which is never called in my setup. Am I missing any configuration step? I need this method to get called so I my IDP can validate the token.
PrabakaranTS
commented
4 years ago I'm also facing the same issue. We are using APIm 3.1.0 and IS-KM 5.10.0. We have imported the certificate of IS-KM to APIm with gateway_certificate_alias and restarted but still, the issue is not resolved.
ViktorHSN
commented
4 years ago Hello, I got it working, In my case, I had to import the public certificate of the Realm in RH-SSO which signed the jwt token under an alias corresponding to its KID.
Good news is that WSO2 APIM 3.2.0, the newest version at the time of this writing, suports adding keymanager via its admin interface, which makes the process easier, but I still had to import the certificate as I stated above.
We set up custom hostname with proper certificate generated from trusted CA authority.
I can sucessfully generate JWT token from API Gateway. It's header property "x5t" is SHA-1 fingerprint.
In system directory
/repository/resources/securitythere are two JKS.wso2carbon.jks– with private/public key pair alias namedwso2carbonclient-truststore.jks– with certificate alias namedwso2carbonboth
wso2carbonentries have the same fingerprint as specified in JWT header property. Yet the API call response isInvalid JWT token. Signature verification failed.Is there any configuration we could've missed or is it a bug?