product-apim
product-apim copied to clipboard
wso2
JWKS URL does not change based on the configuration in the deployment.toml
Description:
In APIM v4, we have the following configuration and using that we can change the JWKS endpoint. Basically we can provide a private url to the gateways for calling the JWKS endpoint.
[apim.key_manager] service_url = "https://wso2apim:9443/services/"
Looks like in APIM v4.1.0, we can't change that anymore due to a recent fix. This is an issue in a container deployments as it cannot route to the external facing endpoint(Lb endpoint/Ingress). All the QSGs related to container deployment will fail and we have to ask the user to manually change the JWKS endpoint. I guess this is not a good approach for QSGs.
Had a chat with Tharindu and possible option is to introduce a config which basically gives the permission to override the wellknown urls or not.
Steps to reproduce:
Affected Product Version:
Environment details (with versions):
- OS:
- Client:
- Env (Docker/K8s):
Optional Fields
Related Issues:
Suggested Labels:
Suggested Assignees:
I don't understand the fix properly. If giving permission to override the well known URLs is ok, instead of making that the default behaviour why are we introducing a config?
It seems this fix has been introduced as part of the token exchange grant. So if we override these endpoints, then the token exchange grant won't work. If we have a config, then we can control this. @tharindu1st Comments?
@nuwand currently we read issuer and JWKS endpoint through Well-known endpoint. When that we doing we get the public hostname of IDP to read the JWKS. since authorization servers are behind a load balancer and they are in the same zone they directly read from CP through the internal hostname.
The fix is required to override the behavior that came from OpenID connect endpoint and keep only having generated urls to jwks endpoint.
As discussed we could set the K8s service name to the ingress host as well. But encountered an issue where external port is 443 and internal port is 9443. But at the K8s service level we could expose another port as 443 and route to the 9443 port of the apim container. With that we could solve this issue. Plan is to apply these changes to K8s related artifacts.