extauth plugin and api_product_list check in oauth plugin #149
Description
I'm trying to config microgateway to accept a third party JWT via plugin extauth.
The request passes extauth plugin without issue but fails in oauth plugin with 403 error below:
plugin:extauth plugin onrequest +17s
plugin:extauth Found jwt kid: thejwtkid +1ms
plugin:extauth Found JWK +0ms
plugin:extauth JWT Expiry enabled +6ms
plugin:extauth JWT is valid +45ms
plugin:oauth validating jwt +0ms
plugin:oauth product only: false +23ms
plugin:oauth no api product list +0ms
plugin:oauth** auth failure 403 access_denied { host: 'host.domain.name',..}
What failed is the following check in oauth.checkIfAuthorized;
if (!decodedToken.api_product_list) {
debug('no api product list');
return false;
}
The oauth plugin is looking for api_product_list property in decoded JWT. Well, doesn't this defeat the purpose of using extauth plugin unless there is something wrong in my setup? That property won't exist in third party JWT.
Any suggestions?
Thanks