ID token validation fails when accessing /console and /myaccount with proxy port 443

[Buddhimah]

Describe the issue: When we add the config

[transport.https.properties]
proxyPort = "443"

The resident idp entity id also appends that port. But the oauth sdk does not expect this port in the issuer URL[1]

[1].https://github.com/asgardio/asgardio-js-oidc-sdk/blob/master/packages/oidc-js/src/utils/sign-in.ts#L218

How to reproduce:

Add the config to deployment toml

 [transport.https.properties]
proxyPort = "443"

Try accessing the /conole or /myaccount id token validation will fail following error can be observed from the browser console

[Error] Unhandled Promise Rejection: Invalid id_token in the token response: eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l

[gkaran]

Is there a way around this until we get to upgrade to 5.12.0?

[Buddhimah]

@gkaran https://is.docs.wso2.com/en/latest/learn/adding-and-configuring-an-identity-provider/#configuring-a-resident-identity-provider Go to resident idp configuration click OAuth2/OpenID Connect Configuration. under resident idp entity id change the host name and port as the .well-known endpoint host and port

[gkaran]

@Buddhimah I hope someday I will be able to buy you a beer!! Cheers!

[waqasalirazzaq]

@Buddhimah I am facing same issue. I changed the resident idp entity id but still getting same error.

[waqasalirazzaq]

Below are the screenshots.

[yairhdz]

Hi @Buddhimah I have the same issue even if I change the idp entity id. What else could be causing this error?

[vordimous]

@waqasalirazzaq @yairhdz the :443 needs to be removed from IDP entity id. It should look like this:

https://*****.com/oauth2/token

[thivi]

I tried to explain this issue and the possible remedial actions in this blog. I hope it might be useful. https://thivi.medium.com/fix-invalid-id-token-issue-in-wso2-identity-server-5-11-0-6bd9f7dc5db6

[waqasalirazzaq]

@thivi it solved the problem. thnkx

[diregraph]

@thivi well explained. Thank you.