Change JWT Expiration interval in Edgemicro OAuth Implementation

Not applicable

Hello,

I am trying to implement the OAuth for the Microgateway proxies.

I can access https://{org.apigee.com}/edgemicro-auth/token and I am able to get the JWT as below. JWT has an expiration of 1799ms. I would like to change the expiration to a higher value (say 1hr). I did try setting the "accesstokenttl" to a different value at the Product scope as a custom attribute but the expiry remains the same. Is there a way to configure this? Just an FYI, I am using MGW 2.5.7 with OPDK 4.17.01.

Thanks.

{
  "application_name": "redacted",
  "client_id": "redacted",
  "scopes": [],
  "api_product_list": [
    "abcde"
  ],
  "iat": 1513276552,
  "exp": 1513278351
}
0 17 807
17 REPLIES 17

Hi @Vidya In your edgemicro-auth a node app issues your JWT. The default proxy has an expiry hard coded to 300 seconds - you can change this in the following piece of code in the index.js file - note the +300 - change this to whatever you want your expiry to be.

Cheers.

else if (request.url == "/verifyApiKey" && request.method == "POST") {
             token.application_name = apigee.getVariable(request, "apigee.developer.app.name");
             token.exp = tstamp + 300;//hard code expiry

Hi @Swithin Foote, Thanks for the quick reply. I just downloaded the edgemicro-auth proxy (attached) and cannot see the index.js . But there is another file inside /apiproxy/resources/node/api/controllers/verify_api_key.js. I hope you are referring to the below function where the expiration is provided ("expiresInSeconds").Pls correct if i am wrong.

As this proxy being deployed by Microgateway when its configured first, I am not sure if its ok to change the code. Shouldn't this be made a configurable parameter ?

function convertToJWT(apigeeToken, cb) { var token = { application_name: apigeeToken.developer_app_name, client_id: apigeeToken.client_id, scopes: apigeeToken.app && apigeeToken.app.scopes ? apigeeToken.app.scopes : [], api_product_list: apigeeToken.app && apigeeToken.app.apiproducts ? apigeeToken.app.apiproducts : [] }; var options = { algorithm: 'RS256', expiresInSeconds: 0 }; jwt.sign(token, options, cb); }

If you would like to take a look at the proxy, pls share your email and I can send the proxy as a zip.

Thanks

Former Community Member
Not applicable

@Vidya, You'll first want to upgrade the edgemicro-auth proxy. You can do that with the command:

edgemicro upgradeauth

Once you have done the upgrade, see the screenshot I've attached.

6154-screen-shot-2017-12-14-at-122018-pm.png

You can edit the variables "token_expiry" and/or "refresh_token_expiry" from their default values.

Hi @Srinandan Sridhar, I tried to update the auth with the command but running into an error.

edgemicro upgradeauth -o <<org>> -e <<env>> -u <<admin>> -p <<admin_pwd>> –v default –b <<mgmt_api_url>>

I tried with edgemicro private too but getting the same error.

current nodejs version is v8.9.1
current edgemicro version is 2.5.8
/usr/local/lib/node_modules/edgemicro/cli/cmd.js:268
      options.error = optionError;
                    ^


TypeError: Cannot create property 'error' on string '–v'
    at Command.commander.command.option.option.option.option.option.option.description.action (/usr/local/lib/node_modules/edgemicro/cli/cmd.js:268:21)
    at Command.listener (/usr/local/lib/node_modules/edgemicro/node_modules/commander/index.js:315:8)
    at emitTwo (events.js:126:13)
    at Command.emit (events.js:214:7)
    at Command.parseArgs (/usr/local/lib/node_modules/edgemicro/node_modules/commander/index.js:653:12)
    at Command.parse (/usr/local/lib/node_modules/edgemicro/node_modules/commander/index.js:475:21)
    at setup (/usr/local/lib/node_modules/edgemicro/cli/cmd.js:302:13)
    at Object.<anonymous> (/usr/local/lib/node_modules/edgemicro/cli/edgemicro:31:19)
    at Module._compile (module.js:635:30)
    at Object.Module._extensions..js (module.js:646:10)
    at Module.load (module.js:554:32)
    at tryModuleLoad (module.js:497:12)
    at Function.Module._load (module.js:489:3)
    at Function.Module.runMain (module.js:676:10)
<br>

Former Community Member
Not applicable

@Swithin Foote, I don't think you need to edit the file in question. The expiry indicated there is for API Keys (which also uses JWT Tokens).

@srinandans - quite correct - I was talking API key. Your reply is correct.

hi @Swithin Foote @srinandans,

Is the same applicable for private cloud?

I get ReferenceError: upgradeauth is not defined , upon checking i see as below in cmd-private.js

promptForPassword(options,(options)=>{ if (!options.password) { return options.error('password is required'); } upgradeauth.upgradeauth(options, () => { }); }) });

Former Community Member
Not applicable

@anarjinary@wiley.com @Vidya - There is a bug in v2.5.8. upgradeauth does not work for private cloud. I'm going to add this in v.2.5.9 (first in beta and then as GA). If you need something sooner, let me know. I will tell you how to workaround the problem.

@Srinandan Sridhar: Pls share the workaround. we would like to test this first to ensure it works. Any ETA on 2.5.9 and 2.6 ?

Former Community Member
Not applicable

I have published a new release now. Please try:

npm install -g edgemicro@beta

This should install v2.5.10-beta. Please let me know if this fixes the problem.

Not applicable

@Srinandan Sridhar: I had a chance to work on this again. I have upgraded to the latest GA 2.5.12. This time I am having an access issue. I even tried using the Org Admin userid & pwd combination that I used to set up the environment but the result is still the same. Any suggestions ? Just a reminder, we are on-prem 4.17.01.

root# edgemicro upgradeauth -o <org> -e <env> -u <<user>> -p <<password>>
current nodejs version is v8.9.4
current edgemicro version is 2.5.12
Give me a minute or two... this can take a while...
Error: Invalid credentials or not sufficient permission. Please correct and try again.
    at Request._callback (/usr/local/bin/node/lib/node_modules/edgemicro/node_modules/apigeetool/lib/commands/deployproxy.js:207:14)
    at Request.self.callback (/usr/local/bin/node/lib/node_modules/edgemicro/node_modules/request/request.js:186:22)
    at emitTwo (events.js:126:13)
    at Request.emit (events.js:214:7)
    at Request.<anonymous> (/usr/local/bin/node/lib/node_modules/edgemicro/node_modules/request/request.js:1163:10)
    at emitOne (events.js:116:13)
    at Request.emit (events.js:211:7)
    at IncomingMessage.<anonymous> (/usr/local/bin/node/lib/node_modules/edgemicro/node_modules/request/request.js:1085:12)
    at Object.onceWrapper (events.js:313:30)
    at emitNone (events.js:111:20)
    at IncomingMessage.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1055:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickCallback (internal/process/next_tick.js:180:9)

Thanks.

Former Community Member
Not applicable

"edgemicro upgradeauth" is used to upgrade the "edgemicro-auth" proxy (deploys a new revision). Is that what you had in mind?

Upgrading to edgemicro 2.5.12 does not require you to upgrade edgemicro-auth proxy.

Yes. I was under the assumption that edgemicro-auth still has to be updated (based on your comment on 12/14, JWT expiration interval is defined in "Create OAuth Request") irrespective of the version of the MGW. I will try and comment back.

@Srinandan Sridhar, I tried to generate the JWT with MGW v2.5.12 and still not able to change the expiration. As you see below, its 1799ms. Is there a setting to override this to a custom value?

{
  "application_name": "redacted",
  "client_id": "redacted",
  "scopes": [],
  "api_product_list": [
    "abcde"
  ],
  "iat": 1519245392,
  "exp": 1519247191
}

@Srinandan Sridhar: An update and possibly a bug uncovered. We had MGW v2.5.3 installed previously which installed edgemicro-auth (Revision 1) on the edge and was in deployed state. Upon fresh install or updating the MGW to 2.5.12, edgemicro-auth is not updated as I believe the installer checks for edgemicro-auth deployment status and if the proxy is in deployed state, it skips the edgemicro-auth deployment step.

As a workaround, we undeployed the edgemicro-auth proxy and installed the newer version of the MGW which in-turn installed the updated version of egemicro-auth as Revision 2. After this, I was able to change the Token expiration and can get the JWT with extended expiration interval.

Former Community Member
Not applicable

@Vidya

The following command only updates the MG runtime

npm install -g edgemicro

The following command updates only the edgemicro-auth proxy

edgemicro upgradeauth -o {org} -e {env} -u {user}

They are kept separate on purpose. You may want to want one with affecting the other.

Not applicable

@srinandans Ok. Its clear but I tried the second option to update the edgemicro-auth which failed with the error i posted yesterday about insufficient permissions. So I had to undeploy the auth proxy and proceeded with the MGW 2.5.12 installation which deployed the latest auth proxy as a new revision.