We have tried wM as authorization server in API GW and it worked fine. We are trying to setup oAuth2 Authentication using external server authorization and for that Azure AD is the oAuth provider.
At Azure side we have setup the APP registration and scope and all those and when we generated the token we see the token is getting generated.
When we are invoking the API with the token generated we are getting token expired or invalid where as the token is a valid one.
- In API GW -->Administration–>Security–>JWT/OAuth/OpenID and
Add Authorization Server
Name,Discovery URL and in scopes gave the relative details
Can you please let me know any specific settings need to be done still.
Any comments on this guys…
I see the only reason for error is that we have not done the scope mapping.
As you said you have done the scope mapping oi dont se need to do anything with respect to the dynamic client registration. We need to pass the discovery url and rest should get populated.
As i dont have azure provider , I will use local Auth server will try to replicate it.
Please check the issuer present in the JWT is same as the one configured in the authorization server issuer in the Local introspection section
Abhijith : Yes they are the same.
Validate the scope mapping
Abhijith : Yes scope is also correct.
3.Ensure the clientid and audience are matching with the JWT and the strategy of the application created.
Abhijith : They are matching.
Sure thank you… Will wait for your inputs after your implementation.
hi @parre.abhijith ,
I created the POC with local auth server and i can see i am getting the invalid token error in the case when i remove the mapping from the scope.
In you case you are using Azure, so only point i can think of is some access related issue at azure end when the token is generated.
This token is has limited access maybe be because of which it is giving the token is invalid.
Thanks for the response i have raised a ticket with SAG and it is now solved.
Azure generates JWT tokens even if we select oAuth details. So we had to do the below steps
In the local introspection gave the url of issuer generated from token(meaning Azure is giving one introspection url but when the token is requested the iss is different in my case atleast
when i click on discover in 3rd party authorization
Azure is giving out https://login.microsoftonline.com/xxxxxxxxxxx/v2.0
Once the token is generated from Azure and when the token is passed to API… SAG asked us to keep the policy as JWT only then it will work.
oAuth token from Azure is JWT
Policy for API should be JWT as per SAG
Also in Application created a strategy and gave the Audience as the aud from JWT
Now the output is successful
If i change the policy back to oAuth in API
Then the same error
So the final recommendation from SAG is oAuth tokens from Azure are JWT tokens and in API we need to select the policy as JWT