WSO2 - Previously issued oAuth2 tokens invalid even if not expired
Question
I have the following scenario using the SAME client ID and client secret:
Get token 1 and call API A - works as expected.
Get token 2 and call API B - works as expected.
Go back and call API A with token 1. I get the error "Invalid JWT token. Make sure you have provided the correct security credentials".
Does that mean that all previous tokens get invalidated once a new token gets issued? Even if it has not reached its expiry?
If I use different client IDs and client secrets, I do not get the issue.
Adding a scope does not make a difference.
3 answers
solution1
0 2023-01-24 06:41:16
When you subscribe to an API using an Application and generate a token, you can use the same token to call another API subscribed using the same Application.
If you regenerate the token for a newly subscribed API, then the previous token will be invalidated.
solution2
0 2023-01-24 16:22:08
I believe this is the design of the JWT token flow of WSO2 APIM and IS. At a given time, there should be only one active JWT token for a single client ID, secret pair.
Ideally, since the token is not expired, it should return the same token however due to the size of the JWT, it is not practical to store the entire token in the persistence layer. Instead, only the JTI value is recorded and with it alone, KM cannot generate the same token in the second token call. Instead, it revokes the previous one and generates a new token.
solution3
0 2023-01-25 07:41:45
From my DevOps team: Long story short is that the device scopes weren't being whitelisted. The config wasn't there previously. We added the config to the Identity Server, and device scopes are now whitelisted.
I can now achieve my objective by adding a unique scopy to each call.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.