There is a delay between generating a edgemicro token and using it.

I configured the edgemicro and configured my API product and Developer App. I am also able to generate my access token.

$ ./node_modules/edgemicro/cli/edgemicro token get -o *** -e prod -i *** -s ***
current nodejs version is v5.0.0
current edgemicro version is 2.4.6
{ token: 'eyJhbGciOiJSUzI1NiJ9.eyJhcGlfcHJvZHVjdF9saXN0IjpbIkVkZ2VNaWNyb1Rlc3RQcm9kdWN0Il0sImF1ZGllbmNlIjoibWljcm9nYXRld2F5IiwianRpIjoiMjQ2MTQ4YTUtZDI2Yy00M2Q2LTk0YzAtNDM0MTY3ZDNlYzc2IiwiaXNzIjoiaHR0cHM6Ly9naXJpc2hnYWpyaWEtcHJvZC5hcGlnZWUubmV0L2VkZ2VtaWNyby1hdXRoL3Rva2VuIiwiYWNjZXNzX3Rva2VuIjoiU0VDQW1xblBmY0xOb3NKT0p2Wkc0NzNFcjMwaSIsImNsaWVudF9pZCI6IndyUUNRcTlvZERJZVdzRmtKTnFJTTVOcXJvSWtGUXlaIiwibmJmIjoxNDk3NTkyMzA2LCJpYXQiOjE0OTc1OTIzMDYsImFwcGxpY2F0aW9uX25hbWUiOiJiYjQ1MjI0Yy05MTk2LTRmY2EtODM5Ny1jNmVjNjJhYTkxN2QiLCJzY29wZXMiOlsiIl0sImV4cCI6MTQ5NzU5MjYwNn0.SiQUV_1IT0zvEsDmq8UcIzbTfuwc6UIxcuZpz7tSVijEOSmKjOb4h6D1LiJzBtmJkbEU3I7S5l92K0bYpVPDcklr_h2qnWquka4l88s0O704xNuuCtt0vHuySL_an1QUzAAirR8iBS5lXF62qhCro8Id_AEw7rNbOiO6rPiUKRwGs7yeHYBHfU5Z-eCkymOC6LMTHHKA2NLU5M47ViCujbxXNQlWAYkPhSw7WvUTn2HNj4YT2gVrzHbYttHqWMNWtpF3ZiDlbdbzRoNG067iwraJQNdy0cdstI134lwatx5fI4D3BYpsOswaW7cqpHKFYQ4XV06LOxmXuBZXCPFgkQ' }

When I try to use this token immediately, I get the below error:

$ curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJhcGlfcHJvZHVjdF9saXN0IjpbIkVkZ2VNaWNyb1Rlc3RQcm9kdWN0Il0sImF1ZGllbmNlIjoibWljcm9nYXRld2F5IiwianRpIjoiMjQ2MTQ4YTUtZDI2Yy00M2Q2LTk0YzAtNDM0MTY3ZDNlYzc2IiwiaXNzIjoiaHR0cHM6Ly9naXJpc2hnYWpyaWEtcHJvZC5hcGlnZWUubmV0L2VkZ2VtaWNyby1hdXRoL3Rva2VuIiwiYWNjZXNzX3Rva2VuIjoiU0VDQW1xblBmY0xOb3NKT0p2Wkc0NzNFcjMwaSIsImNsaWVudF9pZCI6IndyUUNRcTlvZERJZVdzRmtKTnFJTTVOcXJvSWtGUXlaIiwibmJmIjoxNDk3NTkyMzA2LCJpYXQiOjE0OTc1OTIzMDYsImFwcGxpY2F0aW9uX25hbWUiOiJiYjQ1MjI0Yy05MTk2LTRmY2EtODM5Ny1jNmVjNjJhYTkxN2QiLCJzY29wZXMiOlsiIl0sImV4cCI6MTQ5NzU5MjYwNn0.SiQUV_1IT0zvEsDmq8UcIzbTfuwc6UIxcuZpz7tSVijEOSmKjOb4h6D1LiJzBtmJkbEU3I7S5l92K0bYpVPDcklr_h2qnWquka4l88s0O704xNuuCtt0vHuySL_an1QUzAAirR8iBS5lXF62qhCro8Id_AEw7rNbOiO6rPiUKRwGs7yeHYBHfU5Z-eCkymOC6LMTHHKA2NLU5M47ViCujbxXNQlWAYkPhSw7WvUTn2HNj4YT2gVrzHbYttHqWMNWtpF3ZiDlbdbzRoNG067iwraJQNdy0cdstI134lwatx5fI4D3BYpsOswaW7cqpHKFYQ4XV06LOxmXuBZXCPFgkQ"  -i http://localhost:8000/hello/echo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    25  100    25    0     0    178      0 --:--:-- --:--:-- --:--:--   201HTTP/1.1 401 Unauthorized
content-type: application/json
Date: Fri, 16 Jun 2017 05:51:01 GMT
Connection: keep-alive
Content-Length: 25


{"error":"invalid_token"}

But when I try the same token after a couple of minutes, it seems to work.

$ curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJhcGlfcHJvZHVjdF9saXN0IjpbIkVkZ2VNaWNyb1Rlc3RQcm9kdWN0Il0sImF1ZGllbmNlIjoibWljcm9nYXRld2F5IiwianRpIjoiMjQ2MTQ4YTUtZDI2Yy00M2Q2LTk0YzAtNDM0MTY3ZDNlYzc2IiwiaXNzIjoiaHR0cHM6Ly9naXJpc2hnYWpyaWEtcHJvZC5hcGlnZWUubmV0L2VkZ2VtaWNyby1hdXRoL3Rva2VuIiwiYWNjZXNzX3Rva2VuIjoiU0VDQW1xblBmY0xOb3NKT0p2Wkc0NzNFcjMwaSIsImNsaWVudF9pZCI6IndyUUNRcTlvZERJZVdzRmtKTnFJTTVOcXJvSWtGUXlaIiwibmJmIjoxNDk3NTkyMzA2LCJpYXQiOjE0OTc1OTIzMDYsImFwcGxpY2F0aW9uX25hbWUiOiJiYjQ1MjI0Yy05MTk2LTRmY2EtODM5Ny1jNmVjNjJhYTkxN2QiLCJzY29wZXMiOlsiIl0sImV4cCI6MTQ5NzU5MjYwNn0.SiQUV_1IT0zvEsDmq8UcIzbTfuwc6UIxcuZpz7tSVijEOSmKjOb4h6D1LiJzBtmJkbEU3I7S5l92K0bYpVPDcklr_h2qnWquka4l88s0O704xNuuCtt0vHuySL_an1QUzAAirR8iBS5lXF62qhCro8Id_AEw7rNbOiO6rPiUKRwGs7yeHYBHfU5Z-eCkymOC6LMTHHKA2NLU5M47ViCujbxXNQlWAYkPhSw7WvUTn2HNj4YT2gVrzHbYttHqWMNWtpF3ZiDlbdbzRoNG067iwraJQNdy0cdstI134lwatx5fI4D3BYpsOswaW7cqpHKFYQ4XV06LOxmXuBZXCPFgkQ" -i http://localhost:8000/hello/echo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   703    0   703    0     0   1024      0 --:--:-- --:--:-- --:--:--  1047HTTP/1.1 200 OK
access-control-allow-origin: *
content-type: application/json; charset=utf-8
date: Fri, 16 Jun 2017 05:57:32 GMT
etag: W/"2bf-EJujd42L5BmQgsq8DWlJGw"
x-powered-by: Apigee
x-response-time: 667
Connection: keep-alive
Transfer-Encoding: chunked


{"headers":{"host":"mocktarget.apigee.net","accept":"*/*","user-agent":"curl/7.45.0","via":"1.1 localhost","x-authorization-claims":"eyJhdWRpZW5jZSI6Im1pY3JvZ2F0ZXdheSIsImp0aSI6IjI0NjE0OGE1LWQyNmMtNDNkNi05NGMwLTQzNDE2N2QzZWM3NiIsImlzcyI6Imh0dHBzOi8vZ2lyaXNoZ2FqcmlhLXByb2QuYXBpZ2VlLm5ldC9lZGdlbWljcm8tYXV0aC90b2tlbiIsImFjY2Vzc190b2tlbiI6IlNFQ0FtcW5QZmNMTm9zSk9KdlpHNDczRXIzMGkiLCJuYmYiOjE0OTc1OTIzMDYsInNjb3BlcyI6WyIiXX0=","x-forwarded-host":"localhost:8000","x-request-id":"58c4bbd0-5257-11e7-82ac-1d5d6b2f5a14.832d8e50-5258-11e7-82ac-1d5d6b2f5a14","x-forwarded-for":"::1, 121.242.128.86","x-forwarded-port":"80","x-forwarded-proto":"http","connection":"keep-alive"},"method":"GET","url":"/","body":""}

Any ideas, on what is causing this delay? Is it due to my incorrect configuration? I can share my configuration files, if required. As can be surmised working off the sample provided in the docs.

Also on a related note, few more queries:

  • Assuming that the run-time micro-service traffic does not flow through the Edge run-time correct? If this is the case, why do we need to configure the micro-service on the edgemicro_* proxy?
  • Can I configure a micro-service against Apigee Edge public cloud, where the micro-service operates within the intranet only? Or should the micro-service be open to the internet?
  • Is the API product & Developer App necessary? Can I have a "naked" micro-service?

Thanks and really excited that Apigee is getting into this space. Keep up the great work.

Thanks,

Girish

Solved Solved
0 3 386
1 ACCEPTED SOLUTION

Former Community Member
Not applicable

@Girish Gajria, thank you, we appreciate it.

Regarding the "invalid_token" error - this only happens when the JWT verification fails. It is clear the token has not expired. My suspicion is the "nbf" claim (Not Before) in the JWT. It is possible your machine's clock is a little behind. But this is a place I would start with.

Responses to "few more queries":

Item #1: In the hybrid model, we want to strategy of centralized authoring, distributed enforcement. By defining the proxies in Edge, you are authoring them in a central location. Each distributed gateway reads the proxy configuration from the central location. In some places, like Cloud Foundry, these proxies are automatically provisioned for you when you bind route services.

Item #2: I didn't quite understand this question. The choice of exposing or not exposing microservices to the internet is yours. There are no technical restrictions one way or another.

Item #3: API Product and Developer App are necessary only if you use the OAuth plugin. If you disable the plugin, there is no need to create those entities.

View solution in original post

3 REPLIES 3

Former Community Member
Not applicable

@Girish Gajria, thank you, we appreciate it.

Regarding the "invalid_token" error - this only happens when the JWT verification fails. It is clear the token has not expired. My suspicion is the "nbf" claim (Not Before) in the JWT. It is possible your machine's clock is a little behind. But this is a place I would start with.

Responses to "few more queries":

Item #1: In the hybrid model, we want to strategy of centralized authoring, distributed enforcement. By defining the proxies in Edge, you are authoring them in a central location. Each distributed gateway reads the proxy configuration from the central location. In some places, like Cloud Foundry, these proxies are automatically provisioned for you when you bind route services.

Item #2: I didn't quite understand this question. The choice of exposing or not exposing microservices to the internet is yours. There are no technical restrictions one way or another.

Item #3: API Product and Developer App are necessary only if you use the OAuth plugin. If you disable the plugin, there is no need to create those entities.

Thanks @Srinandan Sridhar, my apologies for the delay in response.

I was able to confirm that your suspicion is correct. For some reason, my system clock is off by a minute hence the delay.

For Item #2, my query was, should my microservice be accessible to the Apigee Edge cloud?(since we do configure it in the edgemicro_* api proxy).

Given a scenario, I have a microservice {some-internal-system-host}/employee accessible within my intranet (not over internet), what should be the host on my edgemicro_employee proxy (it cannot be https://my-org.com/employee, since it is not accessible from the cloud).

Another follow up question:

As per docs, this should work with x-api-key header as well, but I get the below response:

$ curl -H "x-api-key: {my-api-key-goes-here}" -i http://localhost:8000/hello/echo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    25  100    25    0     0      3      0  0:00:08  0:00:07  0:00:01     5HTTP/1.1 401 Unauthorized
content-type: application/json
Date: Tue, 20 Jun 2017 05:53:45 GMT
Connection: keep-alive
Content-Length: 25


{"error":"invalid_token"}

Any thoughts/suggestions?

Thanks Again,

Girish

Former Community Member
Not applicable

re: "Should the microservice be accessible to Apigee Edge cloud" - the answer is no. The endpoint on the proxy, like you have indicated, points to some internal hostname that won't be available to the cloud. That is perfectly fine.

re: "invalid_token" - again I suspect the time stamp. Try it again, after you get an error, give it another shot in 1-2 mins.