JWTTokenIssuer does not work correctly with aliases #870
Comments
shilmyhasan
pushed a commit
to shilmyhasan/identity-inbound-auth-oauth-1
that referenced
this issue
Dec 20, 2023
….x-full adding forward proxy support for JWKS endpoint
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Once I enabled the JWTTokenIssuer in identity.xml, the tokens get generated as JWT tokens but even with PersistAccessTokenAlias set to true, they are always stored in the database as the access token itself rather than the alias.
This is a problem since for OpenID validation, libraries touching userinfo endpoint will fail since during validation the query use jti component to query the table as shown below while the table has the full jwt token.
SELECT CONSUMER_KEY, AUTHZ_USER, ACCESS_TOKEN_TABLE.TENANT_ID, USER_DOMAIN, TOKEN_SCOPE, TIME_CREATED,
REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD, USER_TYPE, REFRESH_TOKEN,
ACCESS_TOKEN_TABLE.TOKEN_ID, GRANT_TYPE, SUBJECT_IDENTIFIER FROM (SELECT TOKEN_ID, CONSUMER_KEY,
AUTHZ_USER, IDN_OAUTH2_ACCESS_TOKEN.TENANT_ID AS TENANT_ID, IDN_OAUTH2_ACCESS_TOKEN.USER_DOMAIN
AS USER_DOMAIN,TIME_CREATED,REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD,
USER_TYPE, REFRESH_TOKEN, IDN_OAUTH2_ACCESS_TOKEN.GRANT_TYPE AS GRANT_TYPE,SUBJECT_IDENTIFIER
FROM (SELECT * FROM IDN_OAUTH2_ACCESS_TOKEN WHERE ACCESS_TOKEN='4fbba8b7-95a6-4b49-a0ab-01092baa484f'
AND TOKEN_STATE='ACTIVE') IDN_OAUTH2_ACCESS_TOKEN JOIN IDN_OAUTH_CONSUMER_APPS ON CONSUMER_KEY_ID
= ID) ACCESS_TOKEN_TABLE LEFT JOIN IDN_OAUTH2_ACCESS_TOKEN_SCOPE ON ACCESS_TOKEN_TABLE.TOKEN_ID
= IDN_OAUTH2_ACCESS_TOKEN_SCOPE.TOKEN_ID
Bottom line, the issues is that with JwtTokenIssues IdentityOAuthTokenGenerator regardless of PersistAccessTokenAlias settings the persistence is done with the full token rather than its alias.
The text was updated successfully, but these errors were encountered: