Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-3809

authorisation flip flops when oidc config cannot be initialised

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 2.6 GA
    • Gateway
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide
      • Deploy apicast 3.6 with a supported version of RH SSO.
      • Obtain a valid JWT token for 2 different clients registered to the same service in 3scale.
      • Send a request with the first JWT and see the 200 response All OK.
      • Bring down the RH SSO server or kill the connection APIcast has to be able to reach it.
      • Let the configuration auto update and send a request with the second JWT and see the 403 response Authentication Failed.
      • Send n requests with the first JWT which is now in the cache and see the authorisation flip flop
      Show
      Deploy apicast 3.6 with a supported version of RH SSO. Obtain a valid JWT token for 2 different clients registered to the same service in 3scale. Send a request with the first JWT and see the 200 response All OK. Bring down the RH SSO server or kill the connection APIcast has to be able to reach it. Let the configuration auto update and send a request with the second JWT and see the 403 response Authentication Failed. Send n requests with the first JWT which is now in the cache and see the authorisation flip flop

    Description

      When APIcast auto updates the configuration after the TTL expires on the configuration cache and cannot retrieve the OIDC config a warning error is printed:

      [warn] 31#31: *72 [lua] proxy.lua:206: handle_oauth(): failed to initialize OpenID Connect for service 2555417729090: missing OIDC configuration

      What now happens is that any JWTs in the cache will result in flip flopping authorisation requests and any JWTs not in the cache will always be rejected.

      What is the expected behaviour here?

      Logs have been added for investigation.

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-keprice Kevin Price
            Eloy Coto Eloy Coto (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: