Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
5
-
False
-
False
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Undefined
Description
Our documentation here states:
12.1. JWT verification and parsing by APIcast The API requests to the service using the OpenID Connect authentication mode should provide the access token in the JWT format, issued by the OpenID Provider, in the Authorization header using Bearer schema. The header should look like the following example: Authorization: Bearer <JWK>
Although if you have in your service settings `Credentials location As query parameters (GET) or body parameters (POST/PUT/DELETE)` checked and you fire a request like:
curl -X GET \
'https://<gatewayhost>:443/?access_token=A-VALID-KEYCLOAK-JWT-TOKEN'
the request is authorized successfully.
Reading the documentation I expect this to fail whatever {{ Credentials location }} is set.
Also I expect that:
curl -X GET \
'https://<gatewayhost>:443/' -H 'Authorization: Bearer A-VALID-KEYCLOAK-JWT-TOKEN'
is always successful whatever {{ Credentials location }} is set.
We need to fix the apicast behavior or the documentation.