Reputation: 11
WSO2 APIM - Issue with sub claim using client credential approach
I am trying to generate JWT from WSO2 token endpoint using password and client credentials approach but not finding difference in sub claim value. Its always pointing to user id only, shouldn't it have application id/client id in sub claim for JWT generated using client credential approach ?
ex:
- Token obtained using password grant:
Request:
POST https://localhost:8243/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
Host: localhost:8243
Content-Length: 53
grant_type=password&username=api3dev&password=api3dev
JWT in response {"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="} {"aud":"http://org.wso2.apimgt/gateway","sub":"[email protected]","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null},"scope":"default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach":true,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context":"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502664,"iat":1600499064,"jti":"426d64a9-932b-4f0c-b396-202fd03dd960"}
- Token obtained using client credential:
Request:
POST https://localhost:8243/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
Host: localhost:8243
Content-Length: 29
grant_type=client_credentials
JWT in response {"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="} {"aud":"http://org.wso2.apimgt/gateway","sub":"[email protected]","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null},"scope":"am_application_scope default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach":true,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context":"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502788,"iat":1600499188,"jti":"8091497e-9978-4541-99b9-efca50b16868"}
In above example you can see sub claim is always having user id only.
Upvotes: 1
Views: 180
Answers (1)
Reputation: 321
In WSO2 API Manager when you generating an access_token with client_credentials, sub claim is populated with the owner of the application (service provider). I am not sure that in client credentials the sub claim should be populated with client_id of the Oauth2 application, thought client credentials is a machine-machine authz process without user credentials, so sub (subject) claim should be a user, in this case the owner. For me it is a correct value.
Upvotes: 1
Related Questions
- how to handle backend credentional in wso2 api manager?
- WSO2 APIM Role validation
- WSO2 API Manager authorization issue when logging in
- WSO2 EntitlementPolicyAdminService using Rest API
- Requesting Access Token from WSO2 API Manager via Token API
- Server to Server Authentication in wso2 API manager
- WSO2 APIM Authentication
- How do I get custom claims in the JWT produced by WSO2 API Manager
- WSO2 API Manager API authentication failure
- WSO2 API Manager 1.6.0 - API Authentication Failure