This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

JWT extauth plugin with exp: true always returning access_denied, JWT is invalid

Posted on 11-09-2021 12:53 PM
kaywindcosta
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Apigee microgateway in cloud foundry always returning the invalid JWT message even for valid JWT with the JWT expire setting exp: true .

{
    "error""access_denied",
    "error_description""JWT is invalid"
}

This is my extauth plugin configuration in application.yml 

plugins:
    sequence:      
      - healthcheck
      - cloud-foundry-route-service
      - extauth
.....
.....
extauth:
  level: debug  
  client_id: 'client_id'
  iss: 'iss'
  sendErrtrue
  keepAuthHeaderfalse
  exptrue
 
Any resolution for this?
 
Solved Solved
0 2 147
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Can you explain what is in the token? The properties specifically? (obscure private values)

What specifically is the iss value you placed into configuration? Are you using 'iss' for that setting? This is not correct. It may be confusing, but the iss property accepts the value that the iss property in the token must carry. From this link:

screenshot-20211109-130656.png

It's a little confusing because it's inconsistent: while the client_id property in configuration defines the NAME of the property within the JWT that holds the client id, the iss property in configuration should hold the VALUE of the iss property in the JWT. If you use 'iss' it will (probably) always fail.

If this isn't the problem, can you perform some other experiments and report back the results? You said it happens only with exp:true. Can you confirm that? Are you saying the plugin does not reject the JWT if exp:false, or if exp is not present? what happens if you remove or alter the other properties in configuration of the extauth plugin? Can you try some combinations and report your results? What happens if you omit the client_id property? etc.

If THAT doesn't satisfy, you can run the microgateway with DEBUG=plugin:extauth to get some debug statements out of the plugin. That might help you diagnose.

 

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
kaywindcosta
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM
iss: "This should be the same issuer that is included in the JWT."
 
This resolved my issue

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Can you explain what is in the token? The properties specifically? (obscure private values)

What specifically is the iss value you placed into configuration? Are you using 'iss' for that setting? This is not correct. It may be confusing, but the iss property accepts the value that the iss property in the token must carry. From this link:

screenshot-20211109-130656.png

It's a little confusing because it's inconsistent: while the client_id property in configuration defines the NAME of the property within the JWT that holds the client id, the iss property in configuration should hold the VALUE of the iss property in the JWT. If you use 'iss' it will (probably) always fail.

If this isn't the problem, can you perform some other experiments and report back the results? You said it happens only with exp:true. Can you confirm that? Are you saying the plugin does not reject the JWT if exp:false, or if exp is not present? what happens if you remove or alter the other properties in configuration of the extauth plugin? Can you try some combinations and report your results? What happens if you omit the client_id property? etc.

If THAT doesn't satisfy, you can run the microgateway with DEBUG=plugin:extauth to get some debug statements out of the plugin. That might help you diagnose.

 

Jump to Solution

Posted on --/--/---- --:-- AM
kaywindcosta
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM
iss: "This should be the same issuer that is included in the JWT."
 
This resolved my issue
Jump to Solution
Top Solution Authors
View all