我们在网关验证JWT令牌期间遇到阻止错误。
我们正在使用两个不同虚拟机上的两个docker容器测试集成环境。第一个虚拟机包含APIM 3.0.0,第二个虚拟机包含IS 5.9作为密钥管理器。 IS与Azure AD联合。
我们通过IS与来自Azure的用户数据通过IS获得了格式正确的JWT令牌,但APIM找不到公共证书来验证具有给定别名的签名。这两个wso2组件都有自己的client-truststore.jks,它们使用重新创建的公共证书进行了更新(我们用vms的公共IP替换了localhost)。
以下一些有用的细节:
这是APIM容器的日志中的错误:
[2020-01-30 15:20:00,072] WARN - SourceHandler I/O error: Received fatal alert: certificate_unknown
[2020-01-30 15:20:00,404] ERROR - GatewayUtils Couldn't find a public certificate to verify signature with alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256
[2020-01-30 15:20:00,405] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:433) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:413) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:349) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:320) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.apache.synapse.rest.API.process(API.java:366) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:325) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v38.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:412) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:181) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v38.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
这些是https://my_is_ip:my_port/oauth2/jwks提供的密钥:
{
"keys":[
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
},
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
}
]
}
这是邮递员呼叫的结果:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>
这是JWT令牌:
HEADER
{
"x5t": "ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"kid": "ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg": "RS256"
}
有效载荷
{
"at_hash": "hGnuod6ShKRrlkH_P-k4QA",
"sub": "d6206844-e54b-4ec2-8ace-26b46da24df2",
"ver": "1.0",
"richAccettazionePrivacy": "***************",
"iss": "https://***************:9443/oauth2/token",
"given_name": "***************",
"richAttivazioneCarta": "***************",
"tid": "962b4d1f-a68b-433e-aa78-265ef05d1047",
"aud": [
"dSdZgafomIsRXYQr6XyxIZyjp74a",
"***************"
],
"nbf": 1580399831,
"azp": "dSdZgafomIsRXYQr6XyxIZyjp74a",
"extension_codiceFiscale": "***************",
"scope": "openid",
"auth_time": "1580399827",
"name": "***************",
"exp": 1580403431,
"iat": 1580399831,
"personaId": "***************",
"family_name": "***************",
"jti": "c3b8c9bf-029c-4e51-8969-07f898e5654f",
"email": "***************"
}
如何解决这个问题?
答案 0 :(得分:0)
用于对密钥进行签名的私钥的公共证书 令牌应添加到信任存储中的 “ gateway_certificate_alias”别名。有关更多信息,请参见导入。 公共证书进入客户信任库。
参考:https://apim.docs.wso2.com/en/3.0.0/Learn/APISecurity/OAuth2/AccessTokenTypes/jwt-tokens/
答案 1 :(得分:0)
我们解决了将身份服务器公共证书添加到Api Manager客户端信任库中的问题,该别名等于令牌头中存在的Kid。
答案 2 :(得分:0)
如您所见,没有别名为ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256的公共证书。
keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks在该目录中运行此代码。密码为wso2carbon。
这将创建wsp2carbon证书副本的副本。keytool -import -trustcacerts -keystore client-truststore.jks -alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256 -file wso2.crt在API-M_HOME / repository / resources / security /中运行此代码,以将wso2carbon公钥添加到信任库。