1. Topics
  2. UAA restart invalidates a valid token

UAA restart invalidates a valid token

Paul Bakare
 

Hi,

What could cause a valid token to become invalid on UAA restart?

I've noticed this overtime, that a token (of client_credentials grant type)
which has a validity of 315360000 and has been used for authentication and
authorization of users and resource servers, suddenly returns invalid_token
when validated after a UAA restart.

{
"error": "invalid_token",
"error_description":
"eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiI2M2JlZjY0Yi0yZDgzLTRhOTEtOGRlOS00NjI1YWM1N2NiNjMiLCJzdWIiOiJ1c2VyYWNjb3VudCIsImF1dGhvcml0aWVzIjpbImNsaWVudHMucmVhZCIsInNjaW0udXNlcmlkcyIsImNsaWVudHMuc2VjcmV0IiwidWFhLnJlc291cmNlIiwic2NpbS5tZSIsIm9wZW5pZCIsInVhYS5hZG1pbiIsInNjaW0ucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9hdXRoLmFwcHJvdmFscyIsImNsaWVudHMud3JpdGUiLCJzY2ltLndyaXRlIl0sInNjb3BlIjpbImNsaWVudHMucmVhZCIsInNjaW0udXNlcmlkcyIsImNsaWVudHMuc2VjcmV0IiwidWFhLnJlc291cmNlIiwic2NpbS5tZSIsIm9wZW5pZCIsInVhYS5hZG1pbiIsInNjaW0ucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9hdXRoLmFwcHJvdmFscyIsImNsaWVudHMud3JpdGUiLCJzY2ltLndyaXRlIl0sImNsaWVudF9pZCI6InVzZXJhY2NvdW50IiwiY2lkIjoidXNlcmFjY291bnQiLCJhenAiOiJ1c2VyYWNjb3VudCIsImdyYW50X3R5cGUiOiJjbGllbnRfY3JlZGVudGlhbHMiLCJyZXZfc2lnIjoiNWQ4Yjg5NGUiLCJpYXQiOjE0NDEzNTk0NzUsImV4cCI6MTc1NjcxOTQ3NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJ1c2VyYWNjb3VudCIsImNsaWVudHMiLCJzY2ltIiwidWFhIiwib3BlbmlkIiwicGFzc3dvcmQiLCJjbG91ZF9jb250cm9sbGVyIiwib2F1dGgiXX0.qnOvyxBNKkDADZ2ODyQfZ98nj7cqoSGMIouduERU3Vg"
}

Any ideas please?

?
attachment.html

Filip Hanik
 

We introduced a feature called 'revokable tokens'. A token would
automatically be revoked if a client changed it's secret. All tokens issued
previously would be automatically revoked.

In earlier versions of the UAA, if you have clients in your manifest, and
override flag set to true, even though the secret didn't change in the
manifest, the hashed secret was regenerated and thus this would expire all
the tokens.

you have a couple of different options
1. Update your UAA - this was fixed in
https://www.pivotaltracker.com/n/projects/997278/stories/97682912
2. Set override to false for your boot strapped clients and users

On Wed, Sep 9, 2015 at 8:22 AM, Kayode Odeyemi <dreyemi(a)gmail.com> wrote:

Hi,

What could cause a valid token to become invalid on UAA restart?

I've noticed this overtime, that a token (of client_credentials grant
type) which has a validity of 315360000 and has been used for
authentication and authorization of users and resource servers, suddenly
returns invalid_token when validated after a UAA restart.

{
"error": "invalid_token",
"error_description":
"eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiI2M2JlZjY0Yi0yZDgzLTRhOTEtOGRlOS00NjI1YWM1N2NiNjMiLCJzdWIiOiJ1c2VyYWNjb3VudCIsImF1dGhvcml0aWVzIjpbImNsaWVudHMucmVhZCIsInNjaW0udXNlcmlkcyIsImNsaWVudHMuc2VjcmV0IiwidWFhLnJlc291cmNlIiwic2NpbS5tZSIsIm9wZW5pZCIsInVhYS5hZG1pbiIsInNjaW0ucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9hdXRoLmFwcHJvdmFscyIsImNsaWVudHMud3JpdGUiLCJzY2ltLndyaXRlIl0sInNjb3BlIjpbImNsaWVudHMucmVhZCIsInNjaW0udXNlcmlkcyIsImNsaWVudHMuc2VjcmV0IiwidWFhLnJlc291cmNlIiwic2NpbS5tZSIsIm9wZW5pZCIsInVhYS5hZG1pbiIsInNjaW0ucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9hdXRoLmFwcHJvdmFscyIsImNsaWVudHMud3JpdGUiLCJzY2ltLndyaXRlIl0sImNsaWVudF9pZCI6InVzZXJhY2NvdW50IiwiY2lkIjoidXNlcmFjY291bnQiLCJhenAiOiJ1c2VyYWNjb3VudCIsImdyYW50X3R5cGUiOiJjbGllbnRfY3JlZGVudGlhbHMiLCJyZXZfc2lnIjoiNWQ4Yjg5NGUiLCJpYXQiOjE0NDEzNTk0NzUsImV4cCI6MTc1NjcxOTQ3NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJ1c2VyYWNjb3VudCIsImNsaWVudHMiLCJzY2ltIiwidWFhIiwib3BlbmlkIiwicGFzc3dvcmQiLCJjbG91ZF9jb250cm9sbGVyIiwib2F1dGgiXX0.qnOvyxBNKkDADZ2ODyQfZ98nj7cqoSGMIouduERU3Vg"
}

Any ideas please?

?
attachment.html

Paul Bakare
 

Awesome.

option 2 is definitely the cause of the problem.

Thank you very much.

On Wed, Sep 9, 2015 at 4:32 PM, Filip Hanik <fhanik(a)pivotal.io> wrote:

We introduced a feature called 'revokable tokens'. A token would
automatically be revoked if a client changed it's secret. All tokens issued
previously would be automatically revoked.

In earlier versions of the UAA, if you have clients in your manifest, and
override flag set to true, even though the secret didn't change in the
manifest, the hashed secret was regenerated and thus this would expire all
the tokens.

you have a couple of different options
1. Update your UAA - this was fixed in
https://www.pivotaltracker.com/n/projects/997278/stories/97682912
2. Set override to false for your boot strapped clients and users



On Wed, Sep 9, 2015 at 8:22 AM, Kayode Odeyemi <dreyemi(a)gmail.com> wrote:

Hi,

What could cause a valid token to become invalid on UAA restart?

I've noticed this overtime, that a token (of client_credentials grant
type) which has a validity of 315360000 and has been used for
authentication and authorization of users and resource servers, suddenly
returns invalid_token when validated after a UAA restart.

{
"error": "invalid_token",
"error_description":
"eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiI2M2JlZjY0Yi0yZDgzLTRhOTEtOGRlOS00NjI1YWM1N2NiNjMiLCJzdWIiOiJ1c2VyYWNjb3VudCIsImF1dGhvcml0aWVzIjpbImNsaWVudHMucmVhZCIsInNjaW0udXNlcmlkcyIsImNsaWVudHMuc2VjcmV0IiwidWFhLnJlc291cmNlIiwic2NpbS5tZSIsIm9wZW5pZCIsInVhYS5hZG1pbiIsInNjaW0ucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9hdXRoLmFwcHJvdmFscyIsImNsaWVudHMud3JpdGUiLCJzY2ltLndyaXRlIl0sInNjb3BlIjpbImNsaWVudHMucmVhZCIsInNjaW0udXNlcmlkcyIsImNsaWVudHMuc2VjcmV0IiwidWFhLnJlc291cmNlIiwic2NpbS5tZSIsIm9wZW5pZCIsInVhYS5hZG1pbiIsInNjaW0ucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9hdXRoLmFwcHJvdmFscyIsImNsaWVudHMud3JpdGUiLCJzY2ltLndyaXRlIl0sImNsaWVudF9pZCI6InVzZXJhY2NvdW50IiwiY2lkIjoidXNlcmFjY291bnQiLCJhenAiOiJ1c2VyYWNjb3VudCIsImdyYW50X3R5cGUiOiJjbGllbnRfY3JlZGVudGlhbHMiLCJyZXZfc2lnIjoiNWQ4Yjg5NGUiLCJpYXQiOjE0NDEzNTk0NzUsImV4cCI6MTc1NjcxOTQ3NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJ1c2VyYWNjb3VudCIsImNsaWVudHMiLCJzY2ltIiwidWFhIiwib3BlbmlkIiwicGFzc3dvcmQiLCJjbG91ZF9jb250cm9sbGVyIiwib2F1dGgiXX0.qnOvyxBNKkDADZ2ODyQfZ98nj7cqoSGMIouduERU3Vg"
}

Any ideas please?

?
attachment.html

Filip Hanik
 

After the fix, having override: true should not revoke the tokens. If it
still does, then it's a bug and we would like to know. thanks

On Wed, Sep 9, 2015 at 8:37 AM, Kayode Odeyemi <dreyemi(a)gmail.com> wrote:

Awesome.

option 2 is definitely the cause of the problem.

Thank you very much.

On Wed, Sep 9, 2015 at 4:32 PM, Filip Hanik <fhanik(a)pivotal.io> wrote:

We introduced a feature called 'revokable tokens'. A token would
automatically be revoked if a client changed it's secret. All tokens issued
previously would be automatically revoked.

In earlier versions of the UAA, if you have clients in your manifest, and
override flag set to true, even though the secret didn't change in the
manifest, the hashed secret was regenerated and thus this would expire all
the tokens.

you have a couple of different options
1. Update your UAA - this was fixed in
https://www.pivotaltracker.com/n/projects/997278/stories/97682912
2. Set override to false for your boot strapped clients and users



On Wed, Sep 9, 2015 at 8:22 AM, Kayode Odeyemi <dreyemi(a)gmail.com> wrote:

Hi,

What could cause a valid token to become invalid on UAA restart?

I've noticed this overtime, that a token (of client_credentials grant
type) which has a validity of 315360000 and has been used for
authentication and authorization of users and resource servers, suddenly
returns invalid_token when validated after a UAA restart.

{
"error": "invalid_token",
"error_description":
"eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiI2M2JlZjY0Yi0yZDgzLTRhOTEtOGRlOS00NjI1YWM1N2NiNjMiLCJzdWIiOiJ1c2VyYWNjb3VudCIsImF1dGhvcml0aWVzIjpbImNsaWVudHMucmVhZCIsInNjaW0udXNlcmlkcyIsImNsaWVudHMuc2VjcmV0IiwidWFhLnJlc291cmNlIiwic2NpbS5tZSIsIm9wZW5pZCIsInVhYS5hZG1pbiIsInNjaW0ucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9hdXRoLmFwcHJvdmFscyIsImNsaWVudHMud3JpdGUiLCJzY2ltLndyaXRlIl0sInNjb3BlIjpbImNsaWVudHMucmVhZCIsInNjaW0udXNlcmlkcyIsImNsaWVudHMuc2VjcmV0IiwidWFhLnJlc291cmNlIiwic2NpbS5tZSIsIm9wZW5pZCIsInVhYS5hZG1pbiIsInNjaW0ucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9hdXRoLmFwcHJvdmFscyIsImNsaWVudHMud3JpdGUiLCJzY2ltLndyaXRlIl0sImNsaWVudF9pZCI6InVzZXJhY2NvdW50IiwiY2lkIjoidXNlcmFjY291bnQiLCJhenAiOiJ1c2VyYWNjb3VudCIsImdyYW50X3R5cGUiOiJjbGllbnRfY3JlZGVudGlhbHMiLCJyZXZfc2lnIjoiNWQ4Yjg5NGUiLCJpYXQiOjE0NDEzNTk0NzUsImV4cCI6MTc1NjcxOTQ3NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJ1c2VyYWNjb3VudCIsImNsaWVudHMiLCJzY2ltIiwidWFhIiwib3BlbmlkIiwicGFzc3dvcmQiLCJjbG91ZF9jb250cm9sbGVyIiwib2F1dGgiXX0.qnOvyxBNKkDADZ2ODyQfZ98nj7cqoSGMIouduERU3Vg"
}

Any ideas please?

?
attachment.html

1 - 4 of 4