Good afternoon,
We are reviewing community posts that have not been answered. The Client Secret should not be sent through just the Client ID in the aud value.
Header: {"typ":"JWT","alg":"RS256","kid":"default_ssl_key"}
Payload: {
"iss": "https://supdemo-ssg93.support.local:8443",
"iat":1551822592,
"aud":"54f0c455-4d80-421f-82ca-9194df24859d",
"exp":1551826192,
"jti":"117c27c6-b111-425c-83c4-a396dfe17df4",
"token_details": {
"scope":"oob",
"expires_in":3600,
"token_type":"Bearer"
}
}
Within the gateway you can use the Decode JSON Web Token assertion setup depending on how the JWT was signed and/or encrypted to validate the token. If you use this assertion ensure to include a comparison check on the ${<prefix>.valid} variable after the assertion to ensure that it has not been tampered with.
Sincerely,
Stephen Hughes
Broadcom Support