Search code examples
oauth-2.0wso2wso2-api-manager

ERROR - JWTValidatorImpl Error while parsing JWT in WSO2 API Manager

I have a project that is using WSO2 API Manager. I am getting an error whenever I configure my API to use OAuth2 as Application Level Security. The error is not present when I use API Key. On my deployment.toml the hostname is different to my api gateway url.

I tried to make the deployment.toml to be as close as the default settings shipped with WSO2 APIM.

[server]
hostname = "apim.sit.company.com"
...

[[apim.gateway.environment]]
name = "Default"
type = "hybrid"
provider = "wso2"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "https://localhost:${mgt.transport.https.port}/services/"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://localhost:9099"
wss_endpoint = "wss://localhost:8099"
http_endpoint = "http://apimgw.sit.company.com"
https_endpoint = "https://apimgw.sit.company.com"

Here's the error I got from the logs

[2023-04-18 06:24:40,959] ERROR - JWTValidatorImpl Error while parsing JWT
java.text.ParseException: Unexpected exception: Cannot invoke "String.length()" because "in" is null
        at com.nimbusds.jose.util.JSONObjectUtils.parse(JSONObjectUtils.java:77) ~[nimbus-jose-jwt_7.9.0.wso2v1.jar:?]
        at com.nimbusds.jose.jwk.JWKSet.parse(JWKSet.java:309) ~[nimbus-jose-jwt_7.9.0.wso2v1.jar:?]
        at org.wso2.carbon.apimgt.impl.jwt.JWTValidatorImpl.retrieveJWKSet_aroundBody22(JWTValidatorImpl.java:227) ~[org.wso2.carbon.apimgt.impl_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.impl.jwt.JWTValidatorImpl.retrieveJWKSet(JWTValidatorImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.impl.jwt.JWTValidatorImpl.validateSignature_aroundBody8(JWTValidatorImpl.java:144) ~[org.wso2.carbon.apimgt.impl_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.impl.jwt.JWTValidatorImpl.validateSignature(JWTValidatorImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.impl.jwt.JWTValidatorImpl.validateToken_aroundBody0(JWTValidatorImpl.java:61) ~[org.wso2.carbon.apimgt.impl_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.impl.jwt.JWTValidatorImpl.validateToken(JWTValidatorImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.impl.jwt.JWTValidationServiceImpl.validateJWTToken_aroundBody0(JWTValidationServiceImpl.java:44) ~[org.wso2.carbon.apimgt.impl_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.impl.jwt.JWTValidationServiceImpl.validateJWTToken(JWTValidationServiceImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.getJwtValidationInfo_aroundBody32(JWTValidator.java:673) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.getJwtValidationInfo(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.authenticate_aroundBody0(JWTValidator.java:181) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.authenticate(JWTValidator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate_aroundBody4(OAuthAuthenticator.java:298) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:1) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:546) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:1) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:416) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:1) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.apache.synapse.api.API.process(API.java:403) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.AbstractApiHandler.apiProcessNonDefaultStrategy(AbstractApiHandler.java:108) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.AbstractApiHandler.identifyAPI(AbstractApiHandler.java:128) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.AbstractApiHandler.dispatchToAPI(AbstractApiHandler.java:60) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.rest.RestRequestHandler.dispatchToAPI(RestRequestHandler.java:90) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.rest.RestRequestHandler.process(RestRequestHandler.java:76) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:54) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:346) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:101) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) ~[axis2_1.6.1.wso2v83.jar:?]
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:379) ~[synapse-nhttp-transport_4.0.0.wso2v20.jar:?]
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:193) ~[synapse-nhttp-transport_4.0.0.wso2v20.jar:?]
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) ~[axis2_1.6.1.wso2v83.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
        at java.lang.Thread.run(Thread.java:833) [?:?]
[2023-04-18 06:24:40,971] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:560) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:1) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:416) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:1) ~[org.wso2.carbon.apimgt.gateway_9.28.116.jar:?]
        at org.apache.synapse.api.API.process(API.java:403) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.AbstractApiHandler.apiProcessNonDefaultStrategy(AbstractApiHandler.java:108) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.AbstractApiHandler.identifyAPI(AbstractApiHandler.java:128) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.AbstractApiHandler.dispatchToAPI(AbstractApiHandler.java:60) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.rest.RestRequestHandler.dispatchToAPI(RestRequestHandler.java:90) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.api.rest.RestRequestHandler.process(RestRequestHandler.java:76) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:54) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:346) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:101) ~[synapse-core_4.0.0.wso2v20.jar:4.0.0-wso2v20]
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) ~[axis2_1.6.1.wso2v83.jar:?]
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:379) ~[synapse-nhttp-transport_4.0.0.wso2v20.jar:?]
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:193) ~[synapse-nhttp-transport_4.0.0.wso2v20.jar:?]
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) ~[axis2_1.6.1.wso2v83.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
        at java.lang.Thread.run(Thread.java:833) [?:?]
[2023-04-18 06:24:40,972]  WARN - RelayUtils Server encountered an error, the request message will be consumed and discarded, , CLIENT_ADDRESS = /10.44.137.163:34368, Correlation ID = 979050c7-db12-4790-8991-6e4b64bab89c
[2023-04-18 06:24:51,824]  WARN - APIUtil The configurations related to Api Key Generator Impl class in APIStore is missing in api-manager.xml. Hence returning the default value.
[2023-04-18 06:24:51,897]  WARN - APIUtil The configurations related to APIKey sign keystore in APIStore is missing in api-manager.xml. Hence returning the default value.
[2023-04-18 06:24:51,917]  WARN - APIUtil The configurations related to APIKey sign keystore in APIStore is missing in api-manager.xml. Hence returning the default value.

I tried adding some of the configurations I found on the WSO2 website related to transport level security and it did not solve the problem. (https://apim.docs.wso2.com/en/latest/install-and-setup/setup/security/configuring-transport-level-security/)

Solution

  • It seems the JWKS endpoint response is being null or basically the status code in the response's status line is not 200. To verify this can you check issueing below curl command. (You can find the JWKS endpoint configured in your key manager via exploring the relevant Key manager configurations via Key Managers sections in the APIM admin portal. Default value for resident KM is https://localhost:9443/oauth2/jwks)

    curl "<JWKS_EP_URL>" -k -v

    ex:

    curl "https://localhost:9443/oauth2/jwks" -k -v

    If the above curl command does not return a successful response, Key Manager's jwks endpoint URL should be updated appropriately.