search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
742 stars 722 forks source link

Enforce type header validation not working #21080

Open dilshanfardil opened 2 weeks ago

dilshanfardil commented 2 weeks ago

Describe the issue: Hi Team,

[apim.token.validation]
enforce_type_header_validation = true

But it didn't work because WSO2 IS (as key-manager) still produced access tokens without "typ" header however this type header is available in the token which was generated in IS 6.1.0 and the above param and fix is working for IS KM 6.1.0

How to reproduce:

  1. Setting up the APIM 4.1.0 and IS 5.11 as KM.
  2. Enable the below property in the APIM to enforce type header for token validation. 
    [apim.token.validation]
enforce_type_header_validation = true

Expected behavior:

Environment information

hisanhunais commented 1 week ago

The same concern is faced in a setup with APIM 3.2.0 and ISKM 5.10.0. This is because the JWT tokens generated by ISKM 5.10.0 does not have the typ header in the access token