Fadi - we definitely do want to get to the bottom of this, so are happy to do what we can to help.

Hopefully Marc's version of the OAuth2 plugin will help generate some information we can use to track down the problem.

Can you please open a JIRA for this issue?  And please include as much information as you can, for example:

* Version of apiman
* Version of OAuth2 plugin
* Setup/configuration (example: is Keycloak on a separate server?)
* Any other environmental information you think might be relevant

Having a JIRA issue will help us keep track of our progress on this issue.

-Eric

On 8/13/2015 11:52 AM, Fadi Abdin wrote:

Marc / Eric,

Thank you for your help in the past , i really appreciate it . but my
issue did not get resolved yet .

My Application is really simple , i get a token from keycloak and use
that token call API MAN services .

When the application is fresh installed , this problem does not happened
often , but once many users using it and over time , it will start
rejecting tokens with the "Token is not active" message .

for example if my service is on
https://myserver.com/api-gateway/myservice i pass a token like with an
access_token parameter

https://myserver.com/api-gateway/myservice?access_token=<token value>
some time it return a value and some times not . i'm always using a new
browser , so its not the cashing.

The only way to solve the issue is to restart keycloak/apiman , seems
they back in sync .

It started a small problem with dev , but now its expanding because our
product with the QA people and this escalating .. Is there a way you
guys can help us a little more ? is there a paid support ?

Thanks,



On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy <marc.savy@redhat.com

<mailto:marc.savy@redhat.com>> wrote:

    I think this may pertain to the Keycloak OAuth2 token. In which case, I
    provided Fadi with a version containing additional logging to see if we
    could track the issue down.

    It's not an issue I've ever been able to replicate, and we don't fiddle
    with the token data in any way, so I don't really see how we could
    affect things.

    My only suggestions are to ensure that time is accurate on all of the
    systems (NTP, Chronyd, etc), and I believe this has already been done.


    On 10/08/2015 18:00, Eric Wittmann wrote:

        How often does this occur?  What is the result?

        I assume this is triggering a re-login in the UI?

        There is no caching on the apiman side.  However the tokens
        issued by
        keycloak to the apiman UI do have an expiration.  You could try
        logging
        into the keycloak auth admin UI and increasing the lifespan of
        the tokens.

        Any more details you can provide would be great.

        -Eric

        On 8/10/2015 8:56 AM, Fadi Abdin wrote:

            I keep getting occasional "Token is not active." on they
            keycloak side
            occasionally . its really frustrating , i cant figure out
            what could
            cause this to happen. everything seems correct.

            Is there caching between API Man and Keycloak i can turn off
            ?  Have
            anyone seeen this behavior ?

            Thanks,
            Fadi
            Express.com


            _______________________________________________
            Apiman-user mailing list

            Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>
            https://lists.jboss.org/mailman/listinfo/apiman-user

        _______________________________________________
        Apiman-user mailing list
        Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>
        https://lists.jboss.org/mailman/listinfo/apiman-user