Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect WWW-Authenticate Error Description for JWT Audience Validation Failure #3548

Open
Abshan opened this issue Jul 8, 2024 · 0 comments
Open

Incorrect WWW-Authenticate Error Description for JWT Audience Validation Failure #3548

Abshan opened this issue Jul 8, 2024 · 0 comments
Labels
Priority/Normal Type/Bug

Comments

@Abshan
Copy link

Abshan commented Jul 8, 2024
edited
Loading

Description

When we secure APIs using JWT tokens, the following configuration needs to be added to the micro.gw.conf file,

[[jwtTokenConfig]]
    issuer = "https://localhost:9443/oauth2/token"
    audience = "http://org.wso2.apimgt/gateway"
    certificateAlias = "wso2apim310"
    jwksURL = "https://localhost:9443/oauth2/jwks"
    validateSubscription = false

In the above configuration snippet, if we define the audience config property, then the Microgateway validates the aud claim present in the JWT against the audience value provided in the jwtTokenConfig. section. If the aud claim value in the JWT differs from the audience value defined in the configuration file, the following error message can be observed in the server logs,

ERROR [ballerina/jwt] - Invalid audience. 
ERROR [ballerina/jwt] - JWT validation failed. : error {ballerina/jwt}Error message=Invalid audience. 
ERROR [wso2/gateway/src/gateway/utils] - Failed to authenticate with jwt auth provider. : error {ballerina/auth}Error message=JWT validation failed. cause=error {ballerina/jwt}Error message=Invalid audience.

And, at the client end, we would observe the following error message as expected.

{
    "fault": {
        "code": 900901,
        "message": "Invalid Credentials",
        "description": "Invalid Credentials. Make sure you have given the correct access token"
    }
}

However, if we check the value of the WWW-Authenticate response header received with the above response message, the error description is incorrect as shown below,

OAuth2 realm="WSO2 API Microgateway", error="invalid token" , error_description="The access token expired"

As you can see, the error_description says The access token expired which is incorrect. This should be corrected, for which the correct cause of the failure should get returned as the error_description value.

Steps to Reproduce

  1. Create an simple API and secure the API with OAuth2 (JWT)
  2. Configure the jwtTokenConfig as mentioned in the issue description.
  3. Configure the audience value which differs from the actual aud claim value available in the JWT token.
  4. Invoke the API with a valid token

Version

3.2.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority/Normal Type/Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Abshan