Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail to refresh token #238

Open
5 tasks done
Claudiordev opened this issue Jan 7, 2025 · 10 comments
Open
5 tasks done

Fail to refresh token #238

Claudiordev opened this issue Jan 7, 2025 · 10 comments
Assignees
Labels
bug Something isn't working

Comments

@Claudiordev
Copy link

Claudiordev commented Jan 7, 2025

Describe the bug
After the plugin is up and running on the vault instance, when some of the users try to refresh a token, the following error is output in the console:

2025-01-02T11:00:51.452Z [DEBUG] secrets.artifactory.artifactory_7260f7c7.artifactory.artifactory-secrets-plugin_1.8.4: failed to get Viewer role: err="could not get the token: HTTP response Invalid token, signature" func=refreshExpiredAccessToken timestamp=2025-01-02T11:00:51.452Z

They receive a Error 403, permission denied, invalid token or Error 400: missing access token on their side.

This issue is related to the issues #236 and #237

This instance is configured with the exceptional case of a configuration without a access token:

vault write artifactory/config/admin url=***
vault write artifactory/config/admin use_expiring_tokens=true
vault write artifactory/config/admin default_description="Generated by Vault" max_ttl=14400 default_ttl=3600
vault write artifactory/config/user_token use_expiring_tokens=true
vault write artifactory/config/user_token default_description="Generated by Vault" max_ttl=14400 default_ttl=3600
vault write artifactory/config/user_token scope="applied-permissions/user"
vault write artifactory/config/user_token audience="jfrt@* jfxr@*"

Artifactory version: 7.98.7
Vault version: 1.18.2
Vault plugin version: 1.8.4

To Reproduce
Steps to reproduce the behavior:

  1. Initiate vault instance and configure artifactory plugin on one of the paths as above
  2. Try to get a refresh token by reading the artifactory path for a configured user within vault

Requirements for and issue

  • A description of the bug
  • A fully functioning vault configuration snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
  • Your version of artifactory (you can curl it at $host/artifactory/api/system/version
  • Your version of vault
  • Your version of vault plugin

Expected behavior
Refresh token generated every time the user executes the read command on the path "artifactory/user_token/"

Additional context
It was noticed that this error that happened to 2 users, both had 2FA enabled on artifactory, but no further indications that this is related to the issue were discovered

@Claudiordev Claudiordev added the bug Something isn't working label Jan 7, 2025
@Claudiordev
Copy link
Author

Hi @alexhung , any ideas on anything you want us to test about this one?

@alexhung
Copy link
Member

@Claudiordev

  1. if you can verify this issue still happening with the latest release
  2. if you can run the plugin with debug logging set, e.g. using -log-level=DEBUG cli arg, and share the logs.

These would be very helpful for me to trace the source of the issue.

@Claudiordev
Copy link
Author

Hi @alexhung , we have not verified the problem after the update, but very recently before the update. We already added the debug level, and we got the following in one of the cases:

[DEBUG] secrets.artifactory.artifactory_7260f7c7.artifactory.artifactory-secrets-plugin_1.8.4: failed to get Viewer role: err="could not get the token: HTTP response Invalid token, signature" func=refreshExpiredAccessToken timestamp=2025-01-02T11:00:51.452Z

Has any of the code produced on the 1.8.5 version was focused on this error fixing?

@alexhung
Copy link
Member

@Claudiordev No, I want to make sure the lease revoke issue is resolved before I dive into this one.

@Claudiordev
Copy link
Author

@alexhung , after testing for a while, we have not got any more problems with the leases. We have the following very rarely on the logs:

2025-01-15T09:54:45.177Z [ERROR] secrets.artifactory.artifactory_fd15a342.artifactory.artifactory-secrets-plugin_1.8.5: revokenToken got non-200 status code: body= | { | "errors" : [ { | "code" : "UNAUTHORIZED", | "message" : "Invalid token, expired" | } ] | } func=RevokeToken statusCode=401 timestamp=2025-01-15T09:54:45.177Z 2025-01-15T09:54:45.178Z [WARN] expiration: revocation from the backend failed, but in force mode so ignoring: error= | failed to revoke entry: resp: &logical.Response{Secret:<nil>, Auth:<nil>, Data:map[string]interface {}{"error":"failed to revoke access token"}, Redirect:"", Warnings:[]string(nil), WrapInfo:(*wrapping.ResponseWrapInfo)(nil), Headers:map[string][]string(nil), MountType:""} err: could not revoke tokenID: 9672ee0c-0ac4-4746-949e-eaf88fb1de17 - HTTP response { | "errors" : [ { | "code" : "UNAUTHORIZED", | "message" : "Invalid token, expired" | } ] | }

But that's it. The one that is urgent to fix now would be the one mentioned on this issue

@alexhung
Copy link
Member

@Claudiordev Thank you for the update. I'm glad the lease revoke issue seems to be resolved.

The log in your last message is for revoking token, which is different from this issue (refreshing token). I'll investigate the original issue first then come back to this one.

@Claudiordev
Copy link
Author

Claudiordev commented Jan 22, 2025

Hi @alexhung

Ok let me know, we still are facing complaints from the refresh token issue:

1 error occurred: * could not get the token: HTTP response Invalid token, revoked

@alexhung
Copy link
Member

alexhung commented Jan 22, 2025

@Claudiordev What's the TTL for the user token? Is 3600 from above the value you used in your environment?

What's your token configuration in your Artifactory/Access (https://jfrog.com/help/r/jfrog-installation-setup-documentation/supported-access-configurations)? I wonder if there's some interaction between the token settings (e.g. refresh-expiry, default-expiry-interal, etc.) with the Vault token TTL.

Also, how consistent is this error? Is it happening for every token refresh? Or some proportion of it?

@Claudiordev
Copy link
Author

Hi @alexhung , the TTL is 3600:

These are the configurations we have in the plugin:

vault write artifactory/config/admin use_expiring_tokens=true vault write artifactory/config/admin default_description="Generated by Vault" max_ttl=14400 default_ttl=3600 vault write artifactory/config/user_token use_expiring_tokens=true vault write artifactory/config/user_token default_description="Generated by Vault" max_ttl=14400 default_ttl=3600 vault write artifactory/config/user_token scope="applied-permissions/user"

About the configuration in artifactory I do not have access to it, but Fredrik can provide that information.

It's just some porportion of it, from time to time, but when the user starts to have this error, the only fix is to redo the configuration again

@Claudiordev
Copy link
Author

Hi Alex, the error is still persistent, any update on this one? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants