This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Playbook: How to verify/debug a token generated on Microgateway?

on ‎04-10-2017 04:08 PM

Not applicable
2 2 741

Problem:

Encountered access_denied using a freshly generated token on Microgateway (MG)

Scenario:

While testing a setup of a newly installed/configured MG, the freshly generated token would be denied. [*** Note that the setup is a local setup and is not for production; therefore, the key/secret are not production key/usage. ***]

$ edgemicro token get -o org1 -e dev  -i sIXqz9MGzP2vJ4tFOU7MoiTIpRv2GmiK -s JKSdHTunbILHG3EG

current nodejs version is v7.8.0
current edgemicro version is 2.3.5

{ token: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhcHBsaWNhdGlvbl9uYW1lIjoiMGQ3OTYzOTEtZWNmNS00ZTAyLTgyMzktYzYxNzA3NGJiYTRlIiwiY2xpZW50X2lkIjoic0lYcXo5TUd6UDJ2SjR0Rk9VN01vaVRJcFJ2MkdtaUsiLCJzY29wZXMiOltdLCJhcGlfcHJvZHVjdF9saXN0IjpbIkVkZ2VNaWNyb1Rlc3RQcm9kdWN0Il0sImlhdCI6MTQ5MTcwMTg0MSwiZXhwIjoxNDkxNzAzNjQwfQ.oUPcDa8iPvOPW22NMQvZ2amJ0-ju5BuMbWCez4jTIKx1gy5Bz0Px0ANUg622SyvhKJqeCKj7F8DpgOhIE-3ofNC7ZivMePBX9Jt8ywVVXea40ZvyIHzFf9XdzR8PbFT5vmy_La0WutlRS4PMQ4lFFlBouBe0x99-l8cIfvBU_rx15nxEmz7qGgTQw62lx7b1feuNL-97CG4-6fQTmxwEi9jpFN28xo7-ZTwW1ZB72bdV-4QOmMMlt1cjoOFBTMC5GsZwTAGoqUskdlWbNleOayMA0UlArJFTTk3HdLesSsK-kmSGuGtpoPBFXg8eIIISdp3LZRDihHZJ7lPy3H2IPA' }

Run curl -i -H "Authorization: Bearer {token}" http://localhost:8000/hello/echo like below resulted in 403 access_denied error

$ curl -i -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhcHBsaWNhdGlvbl9uYW1lIjoiMGQ3OTYzOTEtZWNmNS00ZTAyLTgyMzktYzYxNzA3NGJiYTRlIiwiY2xpZW50X2lkIjoic0lYcXo5TUd6UDJ2SjR0Rk9VN01vaVRJcFJ2MkdtaUsiLCJzY29wZXMiOltdLCJhcGlfcHJvZHVjdF9saXN0IjpbIkVkZ2VNaWNyb1Rlc3RQcm9kdWN0Il0sImlhdCI6MTQ5MTcwMTg0MSwiZXhwIjoxNDkxNzAzNjQwfQ.oUPcDa8iPvOPW22NMQvZ2amJ0-ju5BuMbWCez4jTIKx1gy5Bz0Px0ANUg622SyvhKJqeCKj7F8DpgOhIE-3ofNC7ZivMePBX9Jt8ywVVXea40ZvyIHzFf9XdzR8PbFT5vmy_La0WutlRS4PMQ4lFFlBouBe0x99-l8cIfvBU_rx15nxEmz7qGgTQw62lx7b1feuNL-97CG4-6fQTmxwEi9jpFN28xo7-ZTwW1ZB72bdV-4QOmMMlt1cjoOFBTMC5GsZwTAGoqUskdlWbNleOayMA0UlArJFTTk3HdLesSsK-kmSGuGtpoPBFXg8eIIISdp3LZRDihHZJ7lPy3H2IPA" http://localhost:8000/hello/echo

HTTP/1.1 403 Forbidden
content-type: application/json
Date: Sat, 08 Apr 2017 18:58:55 GMT
Connection: keep-alive
Content-Length: 25
{"error":"access_denied"}

How to debug:

  1. Restart the MG with debug mode in one terminal session Edge Microgateway and observe the debug output
$ DEBUG=* edgemicro start -o org1 -e dev -k 5e3f3d95fad51606c7158279552e33e77fd2813d05cbec1cb05079b06e16f0e7 -s 3faa913b187f2a1127f956fca32652f9a22b7730e98d214225d7fa48a054b52c<br>
  • Run curl -i -H "Authorization: Bearer {token}" http://localhost:8000/hello/echo in a second terminal session
  • Look for below entries on the first terminal
    • gateway:main selected proxy http://mocktarget.apigee.net/ with base path /hello for request path /hello/echo +2h		
gateway:main sourceRequest +3ms 47b1dfc0-1e3c-11e7-a497-8fe904e2607b GET /hello/echo
plugin:oauth Token expired error +2h
plugin:oauth auth failure 403 access_denied { 'user-agent': 'curl/7.29.0',
host: 'localhost:8000',
accept: '*/*' } GET /hello/echo +0ms
gateway:errors access_denied +27ms
analytics flushing 1 records. 0 records remaining. +97ms
  • The 403 was a result of Token expired as per output.
  • Copy the token generated earlier
  • Go to a browser tab and enter http://jwt.io, scroll down to the debug section
  • Paste the token in the Encoded field and examine the Decoded output to make sure the client_id field is matches the client_id used to generate the key earlier

    4644-screen-shot-2017-04-10-at-32846-pm.png

  • Copy the exp epoch timestamp in the Decoded output
  • Go to a second browser tab, enter https://www.epochconverter.com/ and paste in the timestamp
  • Examine the converted expiry timestamp against the timestamp on the node and the expiry timestamp showed it expired about 24 hours prior to the current system timestamp on the MG node.

    • Solution:

    In the above local setup, the MG node was set up with an NTP server while the Edge node did not have a proper NTP setup. Once the configuration for NTP on Edge was done, i.e.

    sudo yum install ntp
sudo service ntpd stop
sudo ntpdate 0.rhel.pool.ntp.org
sudo service ntpd start

    All newly generated tokens were working correctly and the curl -i -H "Authorization: Bearer {token}" http://localhost:8000/hello/echo call received 200.

    $ curl -i -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhcHBsaWNhdGlvbl9uYW1lIjoiMGQ3OTYzOTEtZWNmNS00ZTAyLTgyMzktYzYxNzA3NGJiYTRlIiwiY2xpZW50X2lkIjoic0lYcXo5TUd6UDJ2SjR0Rk9VN01vaVRJcFJ2MkdtaUsiLCJzY29wZXMiOltdLCJhcGlfcHJvZHVjdF9saXN0IjpbIkVkZ2VNaWNyb1Rlc3RQcm9kdWN0Il0sImlhdCI6MTQ5MTg2Mzc3NCwiZXhwIjoxNDkxODY1NTczfQ.Cebs4eq477VmMQUxTPuDDYsO_-MC1dpZxfhHRVcbR0HsZhbBlbexYSoZQHh2H_uRS99UiDPKbLWxkskwQbLPdRplNHzyoD9kzmosccm_4zV7wo7z7dQO8LTQ3ZLhfzEYo7qQRbLmWXqzq69D6eMftXMFeuR32SyNeV3y20Ii8YiOpBDSBrug33NR3Qx34raeeOIvL9weTrvDJhqQbQ3sZQ7kAqcY-LeRTT_MgILJGqQ5aFjUhRpxPneCMv7tFR8RdeF5_NdiMlHrDALK9gJHV_H1bqLhE9OPqMsZUdbsDfjLDW1HnHQH8neXPYg9cfcW9O2ZDkLhdlgD3gBx6o2ADA" http://localhost:8000/hello/echo

HTTP/1.1 200 OK
access-control-allow-origin: *
content-type: application/json; charset=utf-8
date: Mon, 10 Apr 2017 22:36:47 GMT
etag: W/"1b1-2Kz2fWY+pqWPkT/xvN+TFg"
x-powered-by: Apigee
x-response-time: 387
Connection: keep-alive
Transfer-Encoding: chunked

{"headers":{"host":"mocktarget.apigee.net","accept":"*/*","user-agent":"curl/7.29.0","via":"1.1 localhost","x-authorization-claims":"eyJzY29wZXMiOltdfQ==","x-forwarded-host":"localhost:8000","x-request-id":"9819aab0-1e2d-11e7-a4c8-a3ca95aaab35.2e6de890-1e3e-11e7-a4c8-a3ca95aaab35","x-forwarded-for":"::1, 111.184.34.7","x-forwarded-port":"80","x-forwarded-proto":"http","connection":"keep-alive"},"method":"GET","url":"/","body":""}
    Preview file
    531 KB
    Topic Labels
    Comments
    Not applicable
    ‎04-08-2019 11:59 PM

    Thanks for the tutorial. I'm currently trying to delete the certificate - so that is the process of deletion of the the key pair from the KVM, right? Found this doc CLI reference for Edge Microgateway link here. How can I upgrade a specific version of Edge Microgateway to the latest version of edgemicro-auth proxy? Thanks.

    ondig
    New Member
    ‎06-06-2019 02:04 AM

    Looks interesting. But anyway I don't understand how to debug. I will try to read one more time and after play online https://slots.io/

    Version history
    Last update:
    ‎04-10-2017 04:08 PM
    Updated by: