Unable to use JWT token generated from Fiware Keyrock

[DacaK]

For the Fiware security layer Keyrock version 8.0.0, Wilma version 8.0.0 and Authzforce version release-10.0.0 are configured.
Keyrock generates a Bearer token that works properly for Orion authorization. But, the problem comes if I use a JWT token instead. I generate a JWT token by adding the scope option in the request:

POST /oauth2/token HTTP/1.1 Host: localhost:3005 Authorization: Basic MTlmMjdiZGMtMTM1My00MTY5LTkxN2ItZTI1NTVjNDYwYzUyOjU4YWIxZTFjLTBkYjktNDBmZi1hMmUyLTJjZTYyNjNlNjI1Yg== Content-Type: application/x-www-form-urlencoded grant_type=password&username=username1&password=password1&scope=jwt

When I try to access Orion through Wilma using the below request, Wilma reports the error "AZF domain not created for application 19f27bdc-1353-4169-917b-e2555c460c52":
GET /version HTTP/1.1 Host: localhost:1022 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdhbml...TgxODQzfQ.O_UgX-Jl_ng0r--uDSr8dk1AeCnJAJPS3qn6VXurhxQ

Moreover, in Keyrock GUI for the application all Grant Types are selected. And, for Token types "JWT token" is selected.
Also in Wilma configuration property for JWT Secret is added (PEP_TOKEN_SECRET=5e39ee34ad881b01).
I removed a few times az_domain from authzforce table in MySQL database and recreated it by adding new roles/permissions from the Keyrock GUI, but that new domain didn't solve the problem either.

I hope someone can help me. Thanks in advance.

[cdanger]

Already asked on StackOverflow:
https://stackoverflow.com/questions/73665080/unable-to-use-jwt-token-generated-from-fiware-keyrock

Have you checked this issue (link) and followed the tutorial mentioned by Jason Fox?

Have you checked in Keyrock logs that it is actually sending a HTTP request to AuthzForce API whenever you change/add the application permissions? If yes, is the request successful? Are the Keyrock configuration parameters related to Authzforce correct?

[DacaK]

Thank you for your prompt response.

Yes, I checked mentioned tutorial and tested it again using docker-compose from the master branch (KEYROCK_VERSION=8.1.0-distroless, WILMA_VERSION=8.1.0-distroless, AUTHZFORCE_VERSION=release-8.1.0)
and the result is the same. Also, I added all ENV for each service in addition to new ones related to the JWT, which was mentioned in the post above.

Keyrock sends a HTTP request to AuthzForce API and it is successful:

Thu, 15 Sep 2022 09:11:20 GMT idm:web-authzforce_controller --> submit_authzforce_policies
Thu, 15 Sep 2022 09:11:20 GMT idm:authzforce --> get_application_domain
Thu, 15 Sep 2022 09:11:20 GMT idm:authzforce --> policy_set_update
Thu, 15 Sep 2022 09:11:20 GMT idm:authzforce --> activate_policy
Thu, 15 Sep 2022 09:11:20 GMT idm:web-authzforce_controller DOMAIN OF APPLICATION IS: XR7SozTWEe2tPwJCrBIAAg
Thu, 15 Sep 2022 09:11:20 GMT idm:web-authzforce_controller POLICY ID: ab155f81-6f24-4c87-89cf-cde54ca25848
Thu, 15 Sep 2022 09:11:20 GMT idm:web-authzforce_controller VERSION OF POLICY: 1
Thu, 15 Sep 2022 09:11:20 GMT idm:web-authzforce_controller RESPONSE CODE FROM POLICY ACTIVATION: 200
Thu, 15 Sep 2022 09:11:20 GMT idm:web-authzforce_controller Authzforce create policy:  Success creating policy.
Thu, 15 Sep 2022 09:11:20 GMT idm:web-authzforce_controller Authzforce activate policy: success
Thu, 15 Sep 2022 09:11:20 GMT idm:web-authzforce_controller --> create_domain
Thu, 15 Sep 2022 09:11:20 GMT idm:web-authzforce_controller Success creating row in authzforce table

The problem is only the JWT token, not the standard Bearer token. In some older versions this functionality worked but now I can't find which versions they were.

[cdanger]

Sorry I missed the fact that it works with the Bearer token, and it's only when you change it to JWT that it fails. (I'm a bit confused though because a Bearer token can be a JWT token nevertheless.) Anyway, In that case, the problem does not concern AuthzForce (which never handles token in this scenario) but with either Keyrock who issues the token (maybe you can capture the JWT to check the 'app_azf_domain' claim is there and correct i.e. matches the AuthzForce domain created by Keyrock), or Wilma which consumes / parses the token. So I suggest you contact Wilma and Keyrock teams. If you get no answer on StackOverflow, you can try their github issues.

[danijelakrstic]

Cannot see the app_azf_domain value from the token, it's an empty string by default (for both Bearer and JWT). But, yes, the values in the Keyrock database for the AuthzForce domain and on the AuthzForce side are the same.
It's nice to know there is no problem on Authzforce side. I opened the issue in Keyrock github as well, hope someone will answer me soon.

Thank you very much for your time and suggestions.

[cdanger]

Yes, the azf domain value missing from the token could be an issue because Wilma needs that AZF domain ID to make the request to AuthzForce properly. Good luck with the Keyrock and Wilma teams.