wso2 api manager 3.1.0 jwks未返回用于生成令牌的kid_Wso2_Jwt_Wso2 Am

wso2 api manager 3.1.0 jwks未返回用于生成令牌的kid

wso2 jwt

wso2 api manager 3.1.0 jwks未返回用于生成令牌的kid,wso2,jwt,wso2-am,Wso2,Jwt,Wso2 Am,从wso2 api manager 3.0.0升级到3.1.0后，我面临着验证JWT令牌的问题，该令牌由wso2生成，用于访问后端api： deployment.toml中的配置 [apim.jwt] enable = true encoding = "base64" # base64,base64url generator_impl = "DefaultJWTGenerator" #example claim_dialect = "http://wso2.org/claims" header

从wso2 api manager 3.0.0升级到3.1.0后，我面临着验证JWT令牌的问题，该令牌由wso2生成，用于访问后端api：

deployment.toml中的配置

[apim.jwt]
enable = true
encoding = "base64" # base64,base64url
generator_impl = "DefaultJWTGenerator" #example
claim_dialect = "http://wso2.org/claims"
header = "Authorization"
signing_algorithm = "SHA256withRSA"
enable_user_claims = true
claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever"

在/oauth2/jwks url的响应中缺少添加到生成的令牌的kid

例如，生成的令牌的标头：

  "typ": "JWT",
  "alg": "RS256",
  "kid": "ODFjMzAxZjhmNzY2MDBhOTBlNDYwNGY2Yzc1MWM1YjgzYzJmYTJlMA"
}

来自/oauth2/jwks的答复：

{"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"M2Y4OGJhNzhlMzJiNzgwMjU3NDBmNTc3ZWIyNDNlMTQyYmQwM2JhZWIyNjgxODNlNGE4ODAwMTAyYWRmODI4Yg_RS256","alg":"RS256","n":"1n880ZJW22CKADeTMLm-d1K75fuUqu6ciV9-iw3kAfmevx_SMxpv5Gm7nj_t5HeXZcBKIhOQT-wZwdaZcEQBSEwXDOgNrGM4upYzGwqm6Q_lg7tAlpz_7zpJlf_buOlUwz0Fsbnuw25cYhMg67P1mSIQ8MuhfZ3mG_WScitDcGKKgNC0-9U6FN2txiauf2dVZzoSUrQLOvFhYmSO9z-Leb9pnhGLCPjXcStAoaHtI-F8yUXB-N-x1z0C1bp0KzaIPCIRdc5sy_8CYrAKVjp4bnuoaC5n5v3ciLTvBlvw5gvDMtLDdsmR4vmoBt2uz5_iEHMBEgb7q2ouwpDm2ER0PQ"}]}

我可以看到令牌中的kid来自keystore.jks文件中的wso2carbon密钥。但无法找到jwks中的密钥来自何处。

问题是，儿童一代从SHA-1改为SHA-256。如果您有相同的问题，您可以自定义JWT令牌生成，并使用下面的代码放置kid：

String certThumbPrint = OAuth2Util.getThumbPrint(tenantDomain, tenantId);
JWSAlgorithm accessTokenSignAlgorithm = OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(signatureAlgorithm);
String kid = OAuth2Util.getKID(certThumbPrint, accessTokenSignAlgorithm);