Layer7 Mobile API Gateway - iOS App Logins fail after MAG Cert Update

book

Article ID: 192366

calendar_today

Updated On:

Products

CA Mobile API Gateway

Issue/Introduction

After updating the JWKS endpoint with new certificates, existing iOS app logins will attempt to validate the id_token using the old certificates. 

The error "JWT Token Is Invalid" may be seen in the log output.

Cause

The results from JWKS endpoint are cached by the Layer7 Mobile API Gateway SDK, as these results are unlikely to change frequently. The SDK stores the results into Keychain for security purposes. When the certificate for Layer7 Mobile API Gateway is changed or updated existing iOS application logins will attempt to use the previously designed certificate since it is cached by the SDK.

Environment

Mobile API Gateway 1.9.x, 2.

 

Resolution

Unfortunately for now we do not have any method to clear the cache for individual items.

But we do provide a method to clear the entire local cache in `MASDevice`.

MASDevice.h

/**
 *  Reset the application's locally stored data on the device only.  This does NOT call the back-end service to remove the device record.  You must call [[MASDevice currentDevice] deregisterWithCompletion:] to do that.
 *
 *  WARNING: if you call this method, all access credentials and locally stored configuration related to the application will be removed.  

 *  Re-authentication process will be triggered whenever you are trying to access the gateway.

 */

- (void)resetLocally;

[WARNING]

* Please use the above method very cautiously as this does NOT call the back-end service to remove the device record. You must call  [[MASDevice currentDevice] deregisterWithCompletion:] to do that.

* Please use the above method call in conjunction with [[MASDevice currentDevice] deregisterWithCompletion:].  So that both the server and client are in the same state.

Additional Information

This only affects iOS devices. The Android SDK has a feature implemented to force the reload of the JWKS endpoint.

A feature request exists internally to address this in future releases of the iOS SDK.