webMethods

Hi All
We have tried wM as authorization server in API GW and it worked fine. We are trying to setup oAuth2 Authentication using external server authorization and for that Azure AD is the oAuth provider.

At Azure side we have setup the APP registration and scope and all those and when we generated the token we see the token is getting generated.

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/0f3b124ed70dfeff42bcfead6ce1508014637cca_2_1035x474.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/0f3b124ed70dfeff42bcfead6ce1508014637cca.png 2x" data-dominant-color="F8FAFB">

image1360×623 40.9 KB

When we are invoking the API with the token generated we are getting token expired or invalid where as the token is a valid one.

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/1f1cf99953cbe4cdd33252fb5da69c00c85e7f66.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/1f1cf99953cbe4cdd33252fb5da69c00c85e7f66.png 2x" data-dominant-color="F7F8F3">

image959×376 42 KB

Steps followed

1. In API GW -->Administration–>Security–>JWT/OAuth/OpenID and
   Add Authorization Server
   Name,Discovery URL and in scopes gave the relative details

Can you please let me know any specific settings need to be done still.

Any comments on this guys…

TIA

hi @parre.abhijith,
I see the only reason for error is that we have not done the scope mapping.
As you said you have done the scope mapping oi dont se need to do anything with respect to the dynamic client registration. We need to pass the discovery url and rest should get populated.
As i dont have azure provider , I will use local Auth server will try to replicate it.

Regards
Vikash Sharma

Sure thank you… Will wait for your inputs after your implementation.

hi @parre.abhijith ,
I created the POC with local auth server and i can see i am getting the invalid token error in the case when i remove the mapping from the scope.
In you case you are using Azure, so only point i can think of is some access related issue at azure end when the token is generated.
This token is has limited access maybe be because of which it is giving the token is invalid.

Regards
Vikash Sharma

Hi Vikash

Thanks for the response i have raised a ticket with SAG and it is now solved.

Azure generates JWT tokens even if we select oAuth details. So we had to do the below steps

In the local introspection gave the url of issuer generated from token(meaning Azure is giving one introspection url but when the token is requested the iss is different in my case atleast

iss: https://sts.windows.net/xxxxxxxxxxxxx/

when i click on discover in 3rd party authorization

Azure is giving out https://login.microsoftonline.com/xxxxxxxxxxx/v2.0

Once the token is generated from Azure and when the token is passed to API… SAG asked us to keep the policy as JWT only then it will work.

oAuth token from Azure is JWT

Policy for API should be JWT as per SAG

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/549784efb2293b9ff708c16db09cace15075b09b_2_1035x336.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/549784efb2293b9ff708c16db09cace15075b09b.png 2x" data-dominant-color="ECEFF0">

image1318×429 51.9 KB

Also in Application created a strategy and gave the Audience as the aud from JWT

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/92db0f7a7d3136fe75d982fc38d91714b2546992_2_1033x333.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/92db0f7a7d3136fe75d982fc38d91714b2546992.png 2x" data-dominant-color="F8F9FB">

image1344×434 22.8 KB

Now the output is successful

image929×360 17.7 KB

If i change the policy back to oAuth in API

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/956ea5b0567fa83034d9ad04b071ceb97aeef3c6.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/956ea5b0567fa83034d9ad04b071ceb97aeef3c6.png 2x" data-dominant-color="E7EBEC">

image1033×312 31.3 KB

Then the same error

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/d0abbdd670fe4ae45be522e2533842f730f058da.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/d0abbdd670fe4ae45be522e2533842f730f058da.png 2x" data-dominant-color="FAF8F8">

image950×379 23.4 KB

So the final recommendation from SAG is oAuth tokens from Azure are JWT tokens and in API we need to select the policy as JWT

Ensure the following,

1. Please check the issuer present in the JWT is same as the one configured in the authorization server issuer in the Local introspection section
2. Validate the scope mapping
3. Ensure the clientid and audience are matching with the JWT and the strategy of the application created.

1. Please check the issuer present in the JWT is same as the one configured in the authorization server issuer in the Local introspection section
   Abhijith : Yes they are the same.

2. Validate the scope mapping
   Abhijith : Yes scope is also correct.

3.Ensure the clientid and audience are matching with the JWT and the strategy of the application created.
Abhijith : They are matching.