Я использую дистрибутив wso2am-3.0.0. Я пытаюсь получить доступ к поставщику ресурсов через client_credentials, используя JWT. Я следую этим процедурам:
и изменение по умолчанию. json, например:
"oauth.grant_type.client_credentials.allow_id_token": true,
"apim.jwt.enable": true,
"apim.jwt.enable_user_claims": true,
"apim.jwt.generator_impl": "org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator",
"oauth.token.validation.include_validation_context_as_jwt_in_reponse": true,
Генерация токена в порядке:
curl -ik --tlsv1.2 -X POST --user <CLIENT_ID>:<CLIENT_SECRET> -d "grant_type=client_credentials&scope=openid" 'https://localhost:8243/token'
Но вызов поставщика услуг не удался:
curl -ik 'https://localhost:8243/sample/1.0.0/myservice' -H "Authorization: Bearer <BEARER>"
Здесь стек:
[2020-03-01 18:49:44,573] DEBUG - OAuthAuthenticator Not a JWT token. Failed to decode the token header.
org.json.JSONException: JSONObject["typ"] not found.
at org.json.JSONObject.get(JSONObject.java:473) ~[json_3.0.0.wso2v1.jar:?]
at org.json.JSONObject.getString(JSONObject.java:654) ~[json_3.0.0.wso2v1.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate_aroundBody4(OAuthAuthenticator.java:193) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:107) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:419) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:413) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:349) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:320) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.apache.synapse.rest.API.process(API.java:366) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:325) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v38.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:188) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v38.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_221]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_221]
Так что я смотрю сгенерированный заголовок JWT в jwt.io:
{
"x5t": "ZjRmYTMwNTJjOWU5MmIzMjgzNDI3Y2IyMmIyY2EzMjdhZjViMjc0Zg",
"kid": "ZjRmYTMwNTJjOWU5MmIzMjgzNDI3Y2IyMmIyY2EzMjdhZjViMjc0Zg_RS256",
"alg": "RS256"
}
Кажется, что нет элемента "typ". я думал, что это должно быть {"typ": "JWT", "alg": "RS256"}
Вот ошибка из команды cURL:
curl -ik -X GET 'https://localhost:8243/sample/1.0.0/myservice' -H "accept: application/json" -H "Authorization: Bearer <TOKEN>"
HTTP/1.1 401 Unauthorized
Access-Control-Expose-Headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
WWW-Authenticate: OAuth2 realm="WSO2 API Manager", error="invalid_token", error_description="The access token expired"
Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,Authorization
accept: application/json
Content-Type: application/json; charset=UTF-8
Date: Sun, 01 Mar 2020 23:10:17 GMT
Transfer-Encoding: chunked
{"fault":{"code":0,"message":"Unclassified Authentication Failure","description":"Access failure for API: /sample/1.0.0, version: 1.0.0 status: (0) - Unclassified Authentication Failure"}}
Есть идеи?