Token signing keypair different from verification keypair

[daniloarcidiacono]

Description: Hello, I'm trying to protect a service with OAuth2 password grant security (I'm using apim-with-analytics docker-compose). I noticed that client-truststore.jks has two different keys for "wso2carbon" and "gateway_certificate_alias". This causes problems with the verification of the signature of the access token. Here are the steps:

1. Generate a token by calling POST https://localhost:8243/token.
2. Introspect/Get the user info with POST https://localhost:9443/oauth2/introspect or POST https://localhost:9443/oauth2/userinfo.
3. Call the API gateway passing the Authorization header.

The step 3 fails because the signature verification fails. After some debugging I noticed that the signature verification of step 3 considers the "gateway_certificate_alias", while the token is signed with "wso2carbon" alias.

I guess I could fix this problem by importing the "wso2carbon" alias into the trust store under the "gateway_certificate_alias" alias, but I would like to know the best way to configure the keys.

Here I found some information about changing the alias used to issue the tokens: https://docs.wso2.com/display/ADMIN44x/Configuring+Keystores+in+WSO2+Products.

While here how to change the alias used to verify the tokens (I think): https://apim.docs.wso2.com/en/next/Learn/APISecurity/APIAuthentication/secure-apis-using-api-keys/#changing-the-alias-name-in-the-jwt.

Why the provided client-truststore.jks contain two different keys for "wso2carbon" and "gateway_certificate_alias"?

Affected Product Version: API Manager 3.0.0