Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWKS URL does not change based on the configuration in the deployment.toml #12779

Open
pubudu538 opened this issue Mar 25, 2022 · 4 comments
Open

JWKS URL does not change based on the configuration in the deployment.toml #12779

pubudu538 opened this issue Mar 25, 2022 · 4 comments
Assignees
@tharindu1st
Labels
Type/Bug

Comments

@pubudu538
Copy link
Contributor

Description:

In APIM v4, we have the following configuration and using that we can change the JWKS endpoint. Basically we can provide a private url to the gateways for calling the JWKS endpoint.

[apim.key_manager]
service_url = "https://wso2apim:9443/services/"

Looks like in APIM v4.1.0, we can't change that anymore due to a recent fix. This is an issue in a container deployments as it cannot route to the external facing endpoint(Lb endpoint/Ingress). All the QSGs related to container deployment will fail and we have to ask the user to manually change the JWKS endpoint. I guess this is not a good approach for QSGs.

Had a chat with Tharindu and possible option is to introduce a config which basically gives the permission to override the wellknown urls or not.

Steps to reproduce:

Affected Product Version:

Environment details (with versions):

  • OS:
  • Client:
  • Env (Docker/K8s):

Optional Fields

Related Issues:

Suggested Labels:

Suggested Assignees:
@tharindu1st tharindu1st self-assigned this Mar 25, 2022
@nuwand
Copy link
Contributor

nuwand commented Mar 25, 2022

I don't understand the fix properly. If giving permission to override the well known URLs is ok, instead of making that the default behaviour why are we introducing a config?

@pubudu538
Copy link
Contributor Author

It seems this fix has been introduced as part of the token exchange grant. So if we override these endpoints, then the token exchange grant won't work. If we have a config, then we can control this. @tharindu1st Comments?

@tharindu1st
Copy link
Contributor

@nuwand currently we read issuer and JWKS endpoint through Well-known endpoint.
When that we doing we get the public hostname of IDP to read the JWKS.
since authorization servers are behind a load balancer and they are in the same zone they directly read from CP through the internal hostname.

The fix is required to override the behavior that came from OpenID connect endpoint and keep only having generated urls to jwks endpoint.

@pubudu538
Copy link
Contributor Author

As discussed we could set the K8s service name to the ingress host as well. But encountered an issue where external port is 443 and internal port is 9443. But at the K8s service level we could expose another port as 443 and route to the 9443 port of the apim container. With that we could solve this issue. Plan is to apply these changes to K8s related artifacts.

@pubudu538 pubudu538 mentioned this issue Mar 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tharindu1st tharindu1st

Labels
Type/Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pubudu538 @tharindu1st @nuwand @Krishanx92