[APIM-4.2.0] Certificate Based Access Token (CBAT) Functionality Issues

[imedyaosandi]

Description

Issue 01: If client sends certificate but no cnf in token, the request fails. Limitation with this is, user wants to enable mTLS for an API but does not want CBAT for the same API. With current functionality, enabling only mTLS for an API is not possible after enabling CBAT globally.

Issue 02: Client gets access to the resource, when request was sent with a JWT which has CNF claim but with no certificate.

Steps to Reproduce

1. Enable CBAT by adding below configuration deployment.toml

[apim.oauth_config]
enable_certificate_bound_access_token = true

2. Add below property to generate token with cnf

[oauth.mutualtls]
client_certificate_header = "ssl-client-cert"

3. Deploy an API and enable mTLS for the API.
4. Generate a token without a CNF and invoke by sending client certificate. You will see 401 response.
5. Deploy an API without mTLS
6. Generate a token with CNF and invoke the API without passing client certificate, you will see the request passes.

Version

4.2.0

Environment Details (with versions)

No response