[Apiman-user] Token is not active.

Fadi Abdin fadiabdeen at gmail.com
Fri Aug 14 11:47:21 EDT 2015 

I'm FINALLY ready to write a jira ticket , i think i'm able to identify the
what is happening

The logs coming in the policy prints the token information, I was surprised
to find that sometimes the token being sent is NOT the correct token I sent
to APIMan,

Example, If I hit a service with a token A , it prints the token B . Token
A is my token which is valid and i just got it , But token B is NOT even
mine and is expired from yesterday.

And this make sense to work after a restart , because it flushes all the
tokens and start fresh.

If there is a quick way to fix it , flush the tokens or whatever please let
me know .
I'm going to file a jira ticket , but i need things to work asap because we
are in QA now and going to production soon.



On Thu, Aug 13, 2015 at 1:20 PM, Eric Wittmann <eric.wittmann at redhat.com>
wrote:

> Fadi - we definitely do want to get to the bottom of this, so are happy to
> do what we can to help.
>
> Hopefully Marc's version of the OAuth2 plugin will help generate some
> information we can use to track down the problem.
>
> Can you please open a JIRA for this issue?  And please include as much
> information as you can, for example:
>
> * Version of apiman
> * Version of OAuth2 plugin
> * Setup/configuration (example: is Keycloak on a separate server?)
> * Any other environmental information you think might be relevant
>
> Having a JIRA issue will help us keep track of our progress on this issue.
>
> -Eric
>
> On 8/13/2015 11:52 AM, Fadi Abdin wrote:
>
>> Marc / Eric,
>>
>> Thank you for your help in the past , i really appreciate it . but my
>> issue did not get resolved yet .
>>
>> My Application is really simple , i get a token from keycloak and use
>> that token call API MAN services .
>>
>> When the application is fresh installed , this problem does not happened
>> often , but once many users using it and over time , it will start
>> rejecting tokens with the "Token is not active" message .
>>
>> for example if my service is on
>> https://myserver.com/api-gateway/myservice i pass a token like with an
>> access_token parameter
>>
>> https://myserver.com/api-gateway/myservice?access_token=<token value>
>> some time it return a value and some times not . i'm always using a new
>> browser , so its not the cashing.
>>
>> The only way to solve the issue is to restart keycloak/apiman , seems
>> they back in sync .
>>
>> It started a small problem with dev , but now its expanding because our
>> product with the QA people and this escalating .. Is there a way you
>> guys can help us a little more ? is there a paid support ?
>>
>> Thanks,
>>
>>
>>
>> On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy <marc.savy at redhat.com
>> <mailto:marc.savy at redhat.com>> wrote:
>>
>>     I think this may pertain to the Keycloak OAuth2 token. In which case,
>> I
>>     provided Fadi with a version containing additional logging to see if
>> we
>>     could track the issue down.
>>
>>     It's not an issue I've ever been able to replicate, and we don't
>> fiddle
>>     with the token data in any way, so I don't really see how we could
>>     affect things.
>>
>>     My only suggestions are to ensure that time is accurate on all of the
>>     systems (NTP, Chronyd, etc), and I believe this has already been done.
>>
>>
>>     On 10/08/2015 18:00, Eric Wittmann wrote:
>>
>>         How often does this occur?  What is the result?
>>
>>         I assume this is triggering a re-login in the UI?
>>
>>         There is no caching on the apiman side.  However the tokens
>>         issued by
>>         keycloak to the apiman UI do have an expiration.  You could try
>>         logging
>>         into the keycloak auth admin UI and increasing the lifespan of
>>         the tokens.
>>
>>         Any more details you can provide would be great.
>>
>>         -Eric
>>
>>         On 8/10/2015 8:56 AM, Fadi Abdin wrote:
>>
>>             I keep getting occasional "Token is not active." on they
>>             keycloak side
>>             occasionally . its really frustrating , i cant figure out
>>             what could
>>             cause this to happen. everything seems correct.
>>
>>             Is there caching between API Man and Keycloak i can turn off
>>             ?  Have
>>             anyone seeen this behavior ?
>>
>>             Thanks,
>>             Fadi
>>             Express.com
>>
>>
>>             _______________________________________________
>>             Apiman-user mailing list
>>             Apiman-user at lists.jboss.org <mailto:
>> Apiman-user at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>         _______________________________________________
>>         Apiman-user mailing list
>>         Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150814/62e0b97c/attachment-0001.html

More information about the Apiman-user mailing list