Description
I observed an issue with the OAuth 2 Bearer Token flow in Liferay where the OAuth2 Incoming Assertion Configuration defined in Instance Settings is not being picked up during access token generation.
When the same configuration is saved under System Settings, the access token generation works as expected. However, when configured at the Instance Settings level, Liferay fails to resolve the configuration and throws the following error:
No JWS signature keys for issuer: http://keycloak:8080/realms/liferay, in company: 56453292236465
Investigation
After investigating the issue, I reviewed the Liferay source code responsible for generating the access token, specifically in the handler:
LiferayJWTBearerGrantHandler
It appears that the scoped configuration was not being considered, which prevents Liferay from resolving the instance-level OAuth2 Incoming Assertion configuration.
Proposed Fix
To address this, I added scoped configuration support when the OAuth2InAssertionManagedServiceFactory service is registered.
The following configuration identifiers were included:
new String[] {
"com.liferay.oauth2.provider.rest.internal.configuration." +
"OAuth2InAssertionConfiguration",
"com.liferay.oauth2.provider.rest.internal.configuration." +
"OAuth2InAssertionConfiguration" +
".scoped"
}