Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Documentation, Gateway
Labels:
None

Story Points:
5
Blocked:
False
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Doc Version/s:

2.13.0 GA, 2.14.0 GA
Release Note Text:
Undefined
Target Release:

2.11.0 CR1

SFDC Cases Counter:
SFDC Cases Links:

Description

Our documentation here states:

12.1. JWT verification and parsing by APIcast
The API requests to the service using the OpenID Connect authentication mode should provide the access token in the JWT format, issued by the OpenID Provider, in the Authorization header using Bearer schema. The header should look like the following example:

Authorization: Bearer <JWK>

Although if you have in your service settings `Credentials location As query parameters (GET) or body parameters (POST/PUT/DELETE)` checked and you fire a request like:

curl -X GET \
  'https://<gatewayhost>:443/?access_token=A-VALID-KEYCLOAK-JWT-TOKEN'

the request is authorized successfully.

Reading the documentation I expect this to fail whatever {{ Credentials location }} is set.
Also I expect that:

curl -X GET \
  'https://<gatewayhost>:443/' -H 'Authorization: Bearer A-VALID-KEYCLOAK-JWT-TOKEN'

is always successful whatever {{ Credentials location }} is set.

We need to fix the apicast behavior or the documentation.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Carlo Palmieri (Inactive)

Documenter:: Lluis Cavalle

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2020/12/10 11:20 AM

Updated:: 2023/07/24 9:22 AM