wso2 identity server proxyPort and different iss claim construction across wso2is versions

Question

usually I deploy my WSO2 Identity Server behind a load balancer / proxy.

With WSO2 IS 5.7, I change my catalina-server.xml adding the proxyPort=443 attribute in the HTTPS Connector as follows:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
proxyPort="443"
bindOnInit="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
...
/>

I can see the effect of this change because all redirect URIs I receive from the Identity Server don't contain the 9443 port. Additionally OIDC tokens issued by the IS contain the iss issuer with the value: mydomain.com:443/oauth2/token thus using 443 port instead of 9443 .

However, in WSO2 IS 5.10, where this option can be configured in the deployment.toml as follows:

[transport.https.properties]
proxyPort = 443

I can see its effect only on redirect URIs but not in the OIDC token where the iss claim still has the 9443 port: mydomain.com:9443/oauth2/token .

It is not a critical issue for me, as I can configure my clients / service providers with this issuer value in advance, but I would like to know if in WSO2IS 5.10 it is a desired behavior or maybe a bug.

Answer 1

This happens when you start the server for the first time without setting the proxy port. Because some of the values are persisted to the database and will not be changed later even if you change the hostname or proxy port.

For the issuer value, you can go to resident identity provider > inbound authn config > OAuth2/OpenID Connect config and update Identity Provider Entity ID with new value.