[Apiman-user] Token is not active.
Marc Savy
marc.savy at redhat.com
Thu Aug 13 08:12:10 EDT 2015
Hi,
I wonder if this is a manifestation of an old bug that was seen on
LiveOak: https://issues.jboss.org/browse/LIVEOAK-579 - it looks
remarkably similar in character.
You can see the relevant source code for the token here:
https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/JsonWebToken.java#L84
You can see it's not very complex. So I'll be surprised if the problem
is with that side of things - but perhaps.
In the past I made a custom version of the keycloak plugin with
additional logging. I've updated it, and you can build it below. In the
case of the error it'll print out a bunch of information about the token
which may help us diagnose the issue (on your gateway machine):
git clone https://github.com/msavy/apiman-plugins.git
cd apiman-plugins/
git checkout -b keycloak-logging origin/keycloak-logging
mvn clean install
Now you should be able to load up this 1.1.6-SNAPSHOT version of the
plugin and try it out.
Regards,
Marc
On 13/08/2015 12:57, Eric Wittmann wrote:
> In all these cases the UI kept working OK? Did you ever get any sort of
> failure in the UI? Example: missing data, page load failure, etc?
>
> -Eric
>
> On 8/12/2015 3:46 PM, Helio Frota wrote:
>> *16:07:56,984 INFO* [stdout] (default task-6) Getting info for user admin
>> *16:09:27,427 ERROR*
>> [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default
>> task-28) Failed to verify token: org.keycloak.
>>
>> almost 2 min of inactivity..
>>
>> but i did a try with more minutes and no errors ...
>>
>> *16:36*:09,869 INFO [stdout] (default task-8) Got organization
>> HeavyMetalOrg: OrganizationBean [id=HeavyMetalOrg, name=HeavyMetalOrg,
>> description=The Heavy Metal Universe, createdBy=admin,
>> createdOn=2015-08-12 15:57:02.829, modifiedBy=admin,
>> modifiedOn=2015-08-12 15:57:02.829]
>> *16:42*:06,805 INFO [stdout] (default task-9) Getting info for user admin
>>
>>
>>
>> On Wed, Aug 12, 2015 at 4:40 PM, Helio Frota <00hf11 at gmail.com
>> <mailto:00hf11 at gmail.com>> wrote:
>>
>> Is this something you can reproduce? Or just something that
>> happened once?
>>
>> unfortunately no. just once.
>>
>> What did you experience when this occurred? Did you get sent to the
>> login page? Did you get a blank page? Error in the UI?
>>
>> nothing, just navigating , clicking etc.. no blank page or error in
>> the UI.
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Aug 12, 2015 at 4:36 PM, Eric Wittmann
>> <eric.wittmann at redhat.com <mailto:eric.wittmann at redhat.com>> wrote:
>>
>> Is this something you can reproduce? Or just something that
>> happened once?
>>
>> What did you experience when this occurred? Did you get sent to
>> the login page? Did you get a blank page? Error in the UI?
>>
>> -Eric
>>
>> On 8/12/2015 3:23 PM, Helio Frota wrote:
>>
>> hi all ,
>>
>> I get this one too.
>>
>> I don't know if i clicked on some button or link or just
>> error arise
>> from another dimension.
>>
>> *16:06:37,817 INFO* [stdout] (default task-59) Updated
>> plan: PlanBean
>> [organization=OrganizationBean [id=HeavyMetalOrg,
>> name=HeavyMetalOrg,
>> description=The Heavy Metal Universe, createdBy=admin,
>> createdOn=2015-08-12 15:57:02.829, modifiedBy=admin,
>> modifiedOn=2015-08-12 15:57:02.829], id=soundsLikeAPlan,
>> name=soundsLikeAPlan, description=454test, createdBy=admin,
>> createdOn=2015-08-12 15:59:41.355]
>> *16:07:56,984 INFO* [stdout] (default task-6) Getting info
>> for user admin
>> *16:09:27,427 ERROR*
>>
>> [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default
>> task-28) Failed to verify token:
>> org.keycloak.VerificationException:
>> Token is not active.
>> at
>> org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:46)
>> [keycloak-core-1.2.0.Final.jar:1.2.0.Final]
>> at
>> org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16)
>> [keycloak-core-1.2.0.Final.jar:1.2.0.Final]
>> at
>> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:67)
>> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final]
>> at
>> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:62)
>> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final]
>> at
>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:45)
>> [keycloak-adapter-core-1.2.0.Final.jar:1.2.0.Final]
>> at
>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:114)
>> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final]
>> at
>> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:94)
>> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final]
>> at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54)
>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>> [keycloak-undertow-adapter-1.2.0.Final.jar:1.2.0.Final]
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
>> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
>> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> [rt.jar:1.8.0_45]
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> [rt.jar:1.8.0_45]
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
>>
>>
>>
>>
>>
>> On Tue, Aug 11, 2015 at 5:16 AM, Marc Savy
>> <marc.savy at redhat.com <mailto:marc.savy at redhat.com>
>> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>>
>> wrote:
>>
>> I think this may pertain to the Keycloak OAuth2 token.
>> In which case, I
>> provided Fadi with a version containing additional
>> logging to see if we
>> could track the issue down.
>>
>> It's not an issue I've ever been able to replicate, and
>> we don't fiddle
>> with the token data in any way, so I don't really see
>> how we could
>> affect things.
>>
>> My only suggestions are to ensure that time is accurate
>> on all of the
>> systems (NTP, Chronyd, etc), and I believe this has
>> already been done.
>>
>> On 10/08/2015 18:00, Eric Wittmann wrote:
>> > How often does this occur? What is the result?
>> >
>> > I assume this is triggering a re-login in the UI?
>> >
>> > There is no caching on the apiman side. However the
>> tokens issued by
>> > keycloak to the apiman UI do have an expiration.
>> You could try
>> logging
>> > into the keycloak auth admin UI and increasing the
>> lifespan of
>> the tokens.
>> >
>> > Any more details you can provide would be great.
>> >
>> > -Eric
>> >
>> > On 8/10/2015 8:56 AM, Fadi Abdin wrote:
>> >> I keep getting occasional "Token is not active." on
>> they
>> keycloak side
>> >> occasionally . its really frustrating , i cant
>> figure out what could
>> >> cause this to happen. everything seems correct.
>> >>
>> >> Is there caching between API Man and Keycloak i can
>> turn off ? Have
>> >> anyone seeen this behavior ?
>> >>
>> >> Thanks,
>> >> Fadi
>> >> Express.com
>> >>
>> >>
>> >> _______________________________________________
>> >> Apiman-user mailing list
>> >> Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>
>> <mailto:Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>>
>> >> https://lists.jboss.org/mailman/listinfo/apiman-user
>> >>
>> > _______________________________________________
>> > Apiman-user mailing list
>> > Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>
>> <mailto:Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>>
>> > https://lists.jboss.org/mailman/listinfo/apiman-user
>> >
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>
>> <mailto:Apiman-user at lists.jboss.org
>> <mailto:Apiman-user at lists.jboss.org>>
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>
>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>
>>
>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
More information about the Apiman-user
mailing list