Enabling JWT signature for backend services in WSO2AM-2.6.0 (6.x branch)
<JWTConfiguration>
<EnableJWTGeneration>true</EnableJWTGeneration>
<JWTHeader>X-JWT-Assertion</JWTHeader>
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>
However - developers complain the signature is not valid (according to the JOSE library). I tested the token in jwt.io page and it as well claims the signature is not valid.
I see from the previous version (wso2am-2.1.0) the signature generation is changed (not using any external framework), but as well for the change the signature is not considered valid by other frameworks (jose, jwt.io)
Any way to configure wso2am to create a valid (validable) signature?
Edit:
I see the JWT token is signed only using APIMJWTGenerator, though it doesn't help to make to token validable
The exception is
"stacktrace": "org.jose4j.jwt.consumer.InvalidJwtException:
Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException:
The X.509 Certificate Thumbprint header(s) in the JWS do not identify any of the provided Certificates - x5t=NTA3YzJmZDk0OTg4N2ViNWRlY2M4N2NlMDdjMmNlNjliOTRkYjM1OA vs. SHA-1 thumbs:[UHwv2UmIfrXezIfOB8LOablNs1g].)
does the validation has something to do with the x5t header attribute?
Edit2: apparently the xt5t header is expected to contain SHA-1 certificate signature, the provided value NTA3YzJmZDk0OTg4N2ViNWRlY2M4N2NlMDdjMmNlNjliOTRkYjM1OA is too long to be SHA-1 or is invalid
Edit3:
Seems the issue is related to https://github.com/wso2/carbon-apimgt/issues/5535 , which fixing appareantly breaks compatibility with backend services (and used frameworks, preparing a fix)
