search

wso2 / product-microgateway

Choreo Connect is a cloud-native, open-source, and developer-centric API gateway.
https://wso2.com/choreo/choreo-connect/
Apache License 2.0
289 stars 246 forks source link

Incorrect WWW-Authenticate Error Description for JWT Audience Validation Failure #3548

Open Abshan opened 2 weeks ago

Abshan commented 2 weeks ago

Description

When we secure APIs using JWT tokens, the following configuration needs to be added to the micro.gw.conf file,

[[jwtTokenConfig]]
    issuer = "https://localhost:9443/oauth2/token"
    audience = "http://org.wso2.apimgt/gateway"
    certificateAlias = "wso2apim310"
    jwksURL = "https://localhost:9443/oauth2/jwks"
    validateSubscription = false

In the above configuration snippet, if we define the audience config property, then the Microgateway validates the aud claim present in the JWT against the audience value provided in the jwtTokenConfig. section. If the aud claim value in the JWT differs from the audience value defined in the configuration file, the following error message can be observed in the server logs,

ERROR [ballerina/jwt] - Invalid audience. 
ERROR [ballerina/jwt] - JWT validation failed. : error {ballerina/jwt}Error message=Invalid audience. 
ERROR [wso2/gateway/src/gateway/utils] - Failed to authenticate with jwt auth provider. : error {ballerina/auth}Error message=JWT validation failed. cause=error {ballerina/jwt}Error message=Invalid audience.

And, at the client end, we would observe the following error message as expected.

{
    "fault": {
        "code": 900901,
        "message": "Invalid Credentials",
        "description": "Invalid Credentials. Make sure you have given the correct access token"
    }
}

However, if we check the value of the WWW-Authenticate response header received with the above response message, the error description is incorrect as shown below,

OAuth2 realm="WSO2 API Microgateway", error="invalid token" , error_description="The access token expired"

As you can see, the error_description says The access token expired which is incorrect. This should be corrected, for which the correct cause of the failure should get returned as the error_description value.

Steps to Reproduce

  1. Create an simple API and secure the API with OAuth2 (JWT)
  2. Configure the jwtTokenConfig as mentioned in the issue description.
  3. Configure the audience value which differs from the actual aud claim value available in the JWT token.
  4. Invoke the API with a valid token

Version

3.2.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response