diff --git a/components/apimgt/org.wso2.carbon.apimgt.common.gateway/src/main/java/org/wso2/carbon/apimgt/common/gateway/dto/JWTConfigurationDto.java b/components/apimgt/org.wso2.carbon.apimgt.common.gateway/src/main/java/org/wso2/carbon/apimgt/common/gateway/dto/JWTConfigurationDto.java index ef034354fede..6991c61e30d9 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.common.gateway/src/main/java/org/wso2/carbon/apimgt/common/gateway/dto/JWTConfigurationDto.java +++ b/components/apimgt/org.wso2.carbon.apimgt.common.gateway/src/main/java/org/wso2/carbon/apimgt/common/gateway/dto/JWTConfigurationDto.java @@ -34,6 +34,7 @@ public class JWTConfigurationDto { private String jwtHeader = "X-JWT-Assertion"; private String consumerDialectUri = "http://wso2.org/claims"; private String signatureAlgorithm = "SHA256withRSA"; + private String jwtDecoding = "base64"; private boolean enableUserClaims; private String gatewayJWTGeneratorImpl; private Map tokenIssuerDtoMap = new HashMap(); @@ -58,6 +59,7 @@ public JWTConfigurationDto(JWTConfigurationDto jwtConfigurationDto) { this.jwtHeader = jwtConfigurationDto.jwtHeader; this.consumerDialectUri = jwtConfigurationDto.consumerDialectUri; this.signatureAlgorithm = jwtConfigurationDto.signatureAlgorithm; + this.jwtDecoding = jwtConfigurationDto.jwtDecoding; this.enableUserClaims = jwtConfigurationDto.enableUserClaims; this.gatewayJWTGeneratorImpl = jwtConfigurationDto.gatewayJWTGeneratorImpl; this.tokenIssuerDtoMap = jwtConfigurationDto.tokenIssuerDtoMap; @@ -140,6 +142,14 @@ public void setJwtExcludedClaims(Set jwtClaims) { this.jwtExcludedClaims = jwtClaims; } + public String getJwtDecoding() { + return jwtDecoding; + } + + public void setJwtDecoding(String jwtDecoding) { + this.jwtDecoding = jwtDecoding; + } + public boolean isEnableUserClaims() { return enableUserClaims; diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/apikey/ApiKeyAuthenticator.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/apikey/ApiKeyAuthenticator.java index f5886d7884aa..83732353ffd4 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/apikey/ApiKeyAuthenticator.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/apikey/ApiKeyAuthenticator.java @@ -515,7 +515,12 @@ private String generateAndRetrieveBackendJWTToken(String tokenSignature, JWTInfo if (token != null) { endUserToken = (String) token; String[] splitToken = ((String) token).split("\\."); - JSONObject payload = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1]))); + JSONObject payload; + if (APIConstants.JwtTokenConstants.DECODING_ALGORITHM_BASE64URL.equals(jwtConfigurationDto.getJwtDecoding())) { + payload = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1]))); + } else { + payload = new JSONObject(new String(Base64.getDecoder().decode(splitToken[1]))); + } long exp = payload.getLong("exp"); long timestampSkew = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000; valid = (exp - System.currentTimeMillis() > timestampSkew); diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator.java index 7e418f7e0771..4116e0bc2c1a 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator.java +++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator.java @@ -290,7 +290,12 @@ private String generateAndRetrieveJWTToken(String tokenSignature, JWTInfoDto jwt if (token != null) { endUserToken = (String) token; String[] splitToken = ((String) token).split("\\."); - JSONObject payload = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1]))); + JSONObject payload; + if (APIConstants.JwtTokenConstants.DECODING_ALGORITHM_BASE64URL.equals(jwtConfigurationDto.getJwtDecoding())) { + payload = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1]))); + } else { + payload = new JSONObject(new String(Base64.getDecoder().decode(splitToken[1]))); + } long exp = payload.getLong("exp") * 1000L; long timestampSkew = getTimeStampSkewInSeconds() * 1000; valid = (exp - System.currentTimeMillis() > timestampSkew); diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java index c6f3104e5e15..c4dec6155fcc 100755 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java @@ -439,6 +439,7 @@ public final class APIConstants { public static final String JWT_DEFAULT_AUDIENCE = "http://org.wso2.apimgt/gateway"; public static final String JWT_CONFIGS = "JWTConfiguration"; public static final String JWT_HEADER = "JWTHeader"; + public static final String JWT_DECODING = "JWTDecoding"; public static final String ENABLE_USER_CLAIMS = "EnableUserClaims"; public static final String BINDING_FEDERATED_USER_CLAIMS = "EnableBindingFederatedUserClaims"; public static final String TOKEN_GENERATOR_IMPL = "JWTGeneratorImpl"; @@ -2101,6 +2102,7 @@ public static class JwtTokenConstants { public static final String INTERNAL_KEY_TOKEN_TYPE = "InternalKey"; public static final String TOKEN_TYPE = "token_type"; public static final String API_KEY_TOKEN_TYPE = "apiKey"; + public static final String DECODING_ALGORITHM_BASE64URL = "base64url"; } public static final String SIGNATURE_ALGORITHM_RS256 = "RS256"; diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java index b7103b4bfee2..88f2ed977c47 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java +++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java @@ -1608,6 +1608,11 @@ private void setJWTConfiguration(OMElement omElement) { if (jwtHeaderElement != null) { jwtConfigurationDto.setJwtHeader(jwtHeaderElement.getText()); } + OMElement jwtDecoding = + omElement.getFirstChildWithName(new QName(APIConstants.JWT_DECODING)); + if (jwtDecoding != null) { + jwtConfigurationDto.setJwtDecoding(jwtDecoding.getText()); + } OMElement jwtUserClaimsElement = omElement.getFirstChildWithName(new QName(APIConstants.ENABLE_USER_CLAIMS)); if (jwtUserClaimsElement != null) { diff --git a/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2 b/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2 index 329d983da1f0..6f6b49951d59 100644 --- a/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2 +++ b/features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2 @@ -80,6 +80,14 @@ + + + {% if apim.jwt.decoding %} + {{apim.jwt.decoding}} + {% elif apim.jwt.encoding %} + {{apim.jwt.encoding}} + {% endif %} + {% if apim.jwt.enable_tenant_based_signing is defined %} {{apim.jwt.enable_tenant_based_signing}} {% endif %}