2

I have the following scenario using the SAME client ID and client secret:

Get token 1 and call API A - works as expected.

Get token 2 and call API B - works as expected.

Go back and call API A with token 1. I get the error "Invalid JWT token. Make sure you have provided the correct security credentials".

Does that mean that all previous tokens get invalidated once a new token gets issued? Even if it has not reached its expiry?

If I use different client IDs and client secrets, I do not get the issue.

Adding a scope does not make a difference.

Lakshitha
  • 1,021
  • 1
  • 6
  • 15
Johan
  • 317
  • 3
  • 11

3 Answers3

0

When you subscribe to an API using an Application and generate a token, you can use the same token to call another API subscribed using the same Application.

If you regenerate the token for a newly subscribed API, then the previous token will be invalidated.

Joy Rathnayake
  • 485
  • 4
  • 8
0

I believe this is the design of the JWT token flow of WSO2 APIM and IS. At a given time, there should be only one active JWT token for a single client ID, secret pair.

Ideally, since the token is not expired, it should return the same token however due to the size of the JWT, it is not practical to store the entire token in the persistence layer. Instead, only the JTI value is recorded and with it alone, KM cannot generate the same token in the second token call. Instead, it revokes the previous one and generates a new token.

Edit:

You can achieve this same client ID secret with multiple tokens use case by using device scopes (Or any other scopes). The difference is,

  1. If scopes and clientID secret are the same in both token calls, 1st token will be revoked with the 2nd call.
  2. If the scopes are different, without revoking the 1st token, 2nd token will be generated with different scopes.
Lakshitha
  • 1,021
  • 1
  • 6
  • 15
0

From my DevOps team: Long story short is that the device scopes weren’t being whitelisted. The config wasn’t there previously. We added the config to the Identity Server, and device scopes are now whitelisted.

I can now achieve my objective by adding a unique scopy to each call.

Johan
  • 317
  • 3
  • 11