Details
-
Bug
-
Resolution: Done
-
Major
-
2.2 GA, SaaS
Description
When using OpenID Connect mode the authorization doesn't work as expected – only every second call is reported.
This happens because of the following:
1) when the request is not cached in APIcast, the JWT token is parsed, and app_id is extracted from it that is used in oauth_authrep.xml call. The whole JWT token is stored in internal APIcast cache
2) on consequent calls there is a cache hit, and the stored access_token=<JWT> is used for making the oauth_authrep.xml call in post_action. As the access token is not stored in backend in this mode, the call fails, the cache is removed from APIcast, and on the next call it will start from 1) again.
This is not correct, the expected behavior is for APIcast to extract app_id from the cached JWT token and use it in the oauth_authrep.xml call instead of access_token.
Attachments
1.
|
Update Release Notes for 2.2 | Closed | Andreu Masferrer |