Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-3809

authorisation flip flops when oidc config cannot be initialised

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • 2.6 GA
    • Gateway
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide
      • Deploy apicast 3.6 with a supported version of RH SSO.
      • Obtain a valid JWT token for 2 different clients registered to the same service in 3scale.
      • Send a request with the first JWT and see the 200 response All OK.
      • Bring down the RH SSO server or kill the connection APIcast has to be able to reach it.
      • Let the configuration auto update and send a request with the second JWT and see the 403 response Authentication Failed.
      • Send n requests with the first JWT which is now in the cache and see the authorisation flip flop
      Show
      Deploy apicast 3.6 with a supported version of RH SSO. Obtain a valid JWT token for 2 different clients registered to the same service in 3scale. Send a request with the first JWT and see the 200 response All OK. Bring down the RH SSO server or kill the connection APIcast has to be able to reach it. Let the configuration auto update and send a request with the second JWT and see the 403 response Authentication Failed. Send n requests with the first JWT which is now in the cache and see the authorisation flip flop

      When APIcast auto updates the configuration after the TTL expires on the configuration cache and cannot retrieve the OIDC config a warning error is printed:

      [warn] 31#31: *72 [lua] proxy.lua:206: handle_oauth(): failed to initialize OpenID Connect for service 2555417729090: missing OIDC configuration

      What now happens is that any JWTs in the cache will result in flip flopping authorisation requests and any JWTs not in the cache will always be rejected.

      What is the expected behaviour here?

      Logs have been added for investigation.

        1. rhssounreachable-cached-client.log
          21 kB
        2. rhssounreachable-non-cached-jwt.log
          7 kB

              Unassigned Unassigned
              rhn-support-keprice Kevin Price
              Eloy Coto Eloy Coto (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: