Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audience validation support for APIM #2784

Closed
Kirishikesan opened this issue Apr 2, 2024 · 1 comment · Fixed by wso2/carbon-apimgt#12511 or wso2/apim-apps#724
Closed

Audience validation support for APIM #2784

Kirishikesan opened this issue Apr 2, 2024 · 1 comment · Fixed by wso2/carbon-apimgt#12511 or wso2/apim-apps#724
Assignees
@Kirishikesan @BiyonFernando
Labels
4.4.0-M2 4.4.0 Affected/APIM-4.1.0 Component/APIM Type/NewFeature
Milestone
4.4.0-M2

Comments

@Kirishikesan
Copy link

Problem

Description

API authentication with audience restriction in JWT (JSON Web Token) involves ensuring that the token is only accepted by the intended audience or recipients. The audience claim (aud) in a JWT specifies the intended recipients for the token. Here are the steps to handle API authentication with audience restriction using JWT.

Steps to Reproduce

Steps needed to check the validity of the fix is as follows.

  1. Create an api
  2. Update an api with audience.
    e.g:
{
  "id": "8a734d25-c4af-406e-acb5-b76ef1d40a9d",
  "name": "PizzaShackAPI",
  "description": "This is a simple API for Pizza Shack online pizza delivery store.",
  "context": "/pizzashack",
  "version": "1.0.0",
  "provider": "admin",
  "lifeCycleStatus": "PUBLISHED",
  .
  .
  .
  "audience": ["aud1","aud2"],
  "transport": [
    "http",
    "https"
  ],
  .
  .
  .
}
  1. Deploy the api (Unless deployed the audience will not be validated)
  2. Invoke the api with jwt with audience

Solution

Create audience field in api product and validate with the audience of the jwt token

Affected Component

APIM

Version

No response

Implementation

No response

Related Issues

No response

Suggested Labels

No response
@Kirishikesan Kirishikesan self-assigned this Apr 2, 2024
This was referenced Apr 2, 2024
Closed
Closed
@RakhithaRR RakhithaRR mentioned this issue Jul 9, 2024
Closed
@RakhithaRR RakhithaRR reopened this Jul 23, 2024
@RakhithaRR RakhithaRR added this to the APIM 4.4.0 milestone Jul 23, 2024
@BiyonFernando
Copy link

Tested functionality of the Audience validation support as bellow.

User can turn on audience validation from Application Level Security in Runtime tab as bellow.
image

When access token embedded in the api request do not contain required audience value it will respond as bellow. Otherwise it will pass through.
image

This behaviour is tested having multiple applications subscribes to single api as well. In that case multiple audience values needed to entered.

This behaviour is tested for api products as well.

@BiyonFernando BiyonFernando mentioned this issue Aug 6, 2024
Closed
@RakhithaRR RakhithaRR modified the milestones: APIM 4.4.0, 4.4.0-M2 Aug 12, 2024
This was referenced Aug 12, 2024
Merged
Merged
@BiyonFernando BiyonFernando mentioned this issue Aug 14, 2024
Merged
@BiyonFernando BiyonFernando mentioned this issue Sep 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kirishikesan Kirishikesan

@BiyonFernando BiyonFernando

Labels
4.4.0-M2 4.4.0 Affected/APIM-4.1.0 Component/APIM Type/NewFeature
Projects
None yet
Milestone
4.4.0-M2
3 participants
@RakhithaRR @Kirishikesan @BiyonFernando