[Apiman-user] Token is not active.

Fadi Abdin fadiabdeen at gmail.com
Fri Aug 14 16:08:19 EDT 2015 

I was only able to see the problem on the string parameter , but not the
bearer token when i use curl. that might do the trick for me after all the
struggle.

I'm having another problem with Bearer Token and CORS , thats why i'm not
using it and it works fine with the parameter .. I'll open another case for
this

On Fri, Aug 14, 2015 at 12:08 PM, Marc Savy <marc.savy at redhat.com> wrote:

> Hi Fadi,
>
> Will be happy to investigate. Could you try another test for me, please?
>
> Instead of setting the query parameter access_token, can you please
> instead use the Authorization header? This is a bit more resistant to some
> weirder forms of caching that might be going on in your pipeline.
>
> Authorization: Bearer <token here>
>
> Do *not* set the access_token query param.
>
> In cURL you can do this by putting:
>
> curl -v -H "Authorization: Bearer <token>" <url>
>
> Regards,
> Marc
>
> On 14/08/2015 16:47, Fadi Abdin wrote:
>
>> I'm FINALLY ready to write a jira ticket , i think i'm able to identify
>> the what is happening
>>
>> The logs coming in the policy prints the token information, I was
>> surprised to find that sometimes the token being sent is NOT the correct
>> token I sent to APIMan,
>>
>> Example, If I hit a service with a token A , it prints the token B .
>> Token A is my token which is valid and i just got it , But token B is
>> NOT even mine and is expired from yesterday.
>>
>> And this make sense to work after a restart , because it flushes all the
>> tokens and start fresh.
>>
>> If there is a quick way to fix it , flush the tokens or whatever please
>> let me know .
>> I'm going to file a jira ticket , but i need things to work asap because
>> we are in QA now and going to production soon.
>>
>>
>>
>> On Thu, Aug 13, 2015 at 1:20 PM, Eric Wittmann <eric.wittmann at redhat.com
>> <mailto:eric.wittmann at redhat.com>> wrote:
>>
>>     Fadi - we definitely do want to get to the bottom of this, so are
>>     happy to do what we can to help.
>>
>>     Hopefully Marc's version of the OAuth2 plugin will help generate
>>     some information we can use to track down the problem.
>>
>>     Can you please open a JIRA for this issue?  And please include as
>>     much information as you can, for example:
>>
>>     * Version of apiman
>>     * Version of OAuth2 plugin
>>     * Setup/configuration (example: is Keycloak on a separate server?)
>>     * Any other environmental information you think might be relevant
>>
>>     Having a JIRA issue will help us keep track of our progress on this
>>     issue.
>>
>>     -Eric
>>
>>     On 8/13/2015 11:52 AM, Fadi Abdin wrote:
>>
>>         Marc / Eric,
>>
>>         Thank you for your help in the past , i really appreciate it .
>>         but my
>>         issue did not get resolved yet .
>>
>>         My Application is really simple , i get a token from keycloak
>>         and use
>>         that token call API MAN services .
>>
>>         When the application is fresh installed , this problem does not
>>         happened
>>         often , but once many users using it and over time , it will start
>>         rejecting tokens with the "Token is not active" message .
>>
>>         for example if my service is on
>>         https://myserver.com/api-gateway/myservice i pass a token like
>>         with an
>>         access_token parameter
>>
>>         https://myserver.com/api-gateway/myservice?access_token=<token
>>         value>
>>         some time it return a value and some times not . i'm always
>>         using a new
>>         browser , so its not the cashing.
>>
>>         The only way to solve the issue is to restart keycloak/apiman ,
>>         seems
>>         they back in sync .
>>
>>         It started a small problem with dev , but now its expanding
>>         because our
>>         product with the QA people and this escalating .. Is there a way
>> you
>>         guys can help us a little more ? is there a paid support ?
>>
>>         Thanks,
>>
>>
>>
>>         On Tue, Aug 11, 2015 at 4:16 AM, Marc Savy <marc.savy at redhat.com
>>         <mailto:marc.savy at redhat.com>
>>         <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>>
>> wrote:
>>
>>              I think this may pertain to the Keycloak OAuth2 token. In
>>         which case, I
>>              provided Fadi with a version containing additional logging
>>         to see if we
>>              could track the issue down.
>>
>>              It's not an issue I've ever been able to replicate, and we
>>         don't fiddle
>>              with the token data in any way, so I don't really see how
>>         we could
>>              affect things.
>>
>>              My only suggestions are to ensure that time is accurate on
>>         all of the
>>              systems (NTP, Chronyd, etc), and I believe this has already
>>         been done.
>>
>>
>>              On 10/08/2015 18:00, Eric Wittmann wrote:
>>
>>                  How often does this occur?  What is the result?
>>
>>                  I assume this is triggering a re-login in the UI?
>>
>>                  There is no caching on the apiman side.  However the
>> tokens
>>                  issued by
>>                  keycloak to the apiman UI do have an expiration.  You
>>         could try
>>                  logging
>>                  into the keycloak auth admin UI and increasing the
>>         lifespan of
>>                  the tokens.
>>
>>                  Any more details you can provide would be great.
>>
>>                  -Eric
>>
>>                  On 8/10/2015 8:56 AM, Fadi Abdin wrote:
>>
>>                      I keep getting occasional "Token is not active." on
>>         they
>>                      keycloak side
>>                      occasionally . its really frustrating , i cant
>>         figure out
>>                      what could
>>                      cause this to happen. everything seems correct.
>>
>>                      Is there caching between API Man and Keycloak i can
>>         turn off
>>                      ?  Have
>>                      anyone seeen this behavior ?
>>
>>                      Thanks,
>>                      Fadi
>>                      Express.com
>>
>>
>>                      _______________________________________________
>>                      Apiman-user mailing list
>>         Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
>>         <mailto:Apiman-user at lists.jboss.org
>>         <mailto:Apiman-user at lists.jboss.org>>
>>         https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>                  _______________________________________________
>>                  Apiman-user mailing list
>>         Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
>>         <mailto:Apiman-user at lists.jboss.org
>>         <mailto:Apiman-user at lists.jboss.org>>
>>         https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20150814/89880749/attachment-0001.html

More information about the Apiman-user mailing list