Solved: authentication failed when authtype is oauth

balajoshi1986 · 08-07-2020 04:36 AM

Hello All,

I have configure oauth type to oauth in maven profile. While building the code in jenkins Access token is validated but still api calls to MS server is failing with 401. Below is the console output:

Plugin version: apigee-config-maven-plugin is 1.4.3

[INFO] Retrieving config from /var/SP/data/jenkins/workspace/dev-deploy/TestAPI/edge.json

[INFO] Validating the access token passed

[INFO] Access Token valid

[INFO] Request prepared for the server ************************** GET http://msserver/v1/organizations/apixdev/environments/dev/keyvaluemaps accept: [application/json] accept-encoding: [gzip] authorization: [Bearer [Not shown in log]

[ERROR] 401 Unauthorized [INFO] ------------------------------------------------------------------------

[INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------

[INFO] Total time: 4.653 s [INFO] Finished at: 2020-08-07T12:24:24+01:00

[INFO] Final Memory: 25M/238M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal com.apigee.edge.config:apigee-config-maven-plugin:1.4.3:keyvaluemaps (create-config-kvm) on project TestAPI: Apigee network call error 401 Unauthorized -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal com.apigee.edge.config:apigee-config-maven-plugin:1.4.3:keyvaluemaps (create-config-kvm) on project TestAPI: Apigee network call error 401 Unauthorized

balajoshi1986

Hello Sai,

Thanks for the help.

Now authentication is working either way. i.e.

1. if we are configuring plugin to generate the token

Issue founded: URL was not complete. It should be like <sso ulr>/oauth/token

or ,

2. we are generating the token before maven plugin is being used.

Issue founded: There were double quotes in the token passed. While validating the token code was ignoring the quotes hence validation was successful but while using it for authentication double quotes were used.

Thanks again.

Take care.

View solution in original post

balajoshi1986

this is the profile

<apigee.profile>apixdev-dev</apigee.profile> <apigee.hosturl>http://msserver</apigee.hosturl> <apigee.apiversion>v1</apigee.apiversion> <apigee.org>apixdev</apigee.org> <apigee.env>dev</apigee.env> <apigee.username>${username}</apigee.username> <apigee.password>${password}</apigee.password> <apigee.tokenurl>https://sso-preprod-esp.apix.test.com</apigee.tokenurl>  <apigee.bearer>${bearer}</apigee.bearer>    <apigee.authtype>${authtype}</apigee.authtype>  <apigee.clientid>${clientId}</apigee.clientid>  <apigee.clientsecret>${clientSecret}</apigee.clientsecret>

ssvaidyanathan

HI

Can you please share the profile from your pom. The one above does not look correct. Use the code block while copying code. Also please share your maven command that is being executed and more info from the logs.

balajoshi1986

<profile>
            <id>apixdev-dev</id>
            <properties>
                <apigee.profile>apixdev-dev</apigee.profile>
                <apigee.hosturl>http://msserver</apigee.hosturl>
                <apigee.apiversion>v1</apigee.apiversion>
                <apigee.org>apixdev</apigee.org>
                <apigee.env>dev</apigee.env>
                <apigee.username>${username}</apigee.username>
                <apigee.password>${password}</apigee.password>
                <apigee.tokenurl>https://sso-server</apigee.tokenurl>  <!-- optional: oauth -->
                <apigee.bearer>${bearer}</apigee.bearer>  <!-- optional: Bearer token override -->
                <!-- <apigee.refresh>${refresh}</apigee.refresh> --> <!-- optional: Refresh token override -->
                <apigee.authtype>${authtype}</apigee.authtype> <!-- optional: oauth|basic(default) -->
                <apigee.clientid>${clientId}</apigee.clientid> <!-- optional: Oauth Client Id - Default is edgecli-->
                <apigee.clientsecret>${clientSecret}</apigee.clientsecret> <!-- optional: Oauth Client Secret Default is edgeclisecret-->
            </properties>
        </profile>
        <profile>

ssvaidyanathan

Thanks for sharing that. Can you confirm you are passing the correct client_id and secret ?

balajoshi1986

Hello Sai

Client id are default I haven't given any client id and secret below are the logs from sso server


2020-08-07 12:00:51,773 [xIP:195.233.9.64 | uAgent:curl/7.29.0] [transactionId:sso_8a58a74c683146b593adb4331f4adca1 | method:POST | URI:/oauth/token | query:] : ClientAuthenticationSuccess ('edgecli authenticated successfully'): principal=edgecli, origin=[remoteAddress=37.25.138.28], identityZoneId=[uaa]
2020-08-07 12:00:51,899 [xIP:195.233.9.64 | uAgent:curl/7.29.0] [transactionId:sso_8a58a74c683146b593adb4331f4adca1 | method:POST | URI:/oauth/token | query:] : UserAuthenticationSuccess ('sso-machine-user'): principal=8e37eb35-4753-46b4-b3f5-09c5a4578189, origin=[remoteAddress=37.25.138.28], identityZoneId=[uaa]
2020-08-07 12:00:51,936 [xIP:195.233.9.64 | uAgent:curl/7.29.0] [transactionId:sso_8a58a74c683146b593adb4331f4adca1 | method:POST | URI:/oauth/token | query:] : TokenIssuedEvent ('["scim.me","openid","password.write","approvals.me","oauth.approvals"]'): principal=8e37eb35-4753-46b4-b3f5-09c5a4578189, origin=[client=edgecli, user=sso-machine-user], identityZoneId=[uaa]

balajoshi1986

[APINAME] $ java -Dapigee.config.options=update -Dusername=sso-machine-user -Dpassword=[*******] -Dauthtype=oauth -cp /var/SP/data/jenkins/maven35-agent.jar:/var/SP/data/jenkins/tools/hudson.tasks.Maven_MavenInstallation/M3/boot/plexus-classworlds-2.5.2.jar:/var/SP/data/jenkins/tools/hudson.tasks.Maven_MavenInstallation/M3/conf/logging jenkins.maven3.agent.Maven35Main /var/SP/data/jenkins/tools/hudson.tasks.Maven_MavenInstallation/M3 /var/SP/data/jenkins/remoting.jar /var/SP/data/jenkins/maven35-interceptor.jar /var/SP/data/jenkins/maven3-interceptor-commons.jar 32232
<===[JENKINS REMOTING CAPACITY]===>channel started
Executing Maven:  -B -f /var/SP/data/jenkins/workspace/jenkins-job/APINAME/pom.xml -B -X -Papixdev-dev -e clean install apigee-config:apiproducts apigee-config:developers apigee-config:apps apigee-config:maskconfigs
Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; 2017-10-18T08:58:13+01:00)
Maven home: /var/SP/data/jenkins/tools/hudson.tasks.Maven_MavenInstallation/M3
Java version: 1.8.0_112, vendor: Oracle Corporation

balajoshi1986

Hello Sai,

First one is the profile from settings.xml and second one is maven command executed by Jenkins. Below is the complete error output I can see on console

[INFO] Validating the access token passed
[INFO] Access Token valid
[INFO] 




Request prepared for the server 
 **************************
GET  http://ms-server/v1/organizations/apixdev/environments/dev/keyvaluemaps
accept: [application/json]
accept-encoding: [gzip]
authorization: [Bearer [Not shown in log]
[ERROR] 401 Unauthorized
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.653 s
[INFO] Finished at: 2020-08-07T12:24:24+01:00
[INFO] Final Memory: 25M/238M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.apigee.edge.config:apigee-config-maven-plugin:1.4.3:keyvaluemaps (create-config-kvm) on project OAuth2TokenExchangeGrantV2: Apigee network call error 401 Unauthorized -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal com.apigee.edge.config:apigee-config-maven-plugin:1.4.3:keyvaluemaps (create-config-kvm) on project OAuth2TokenExchangeGrantV2: Apigee network call error 401 Unauthorized
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:51)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:309)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:194)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:107)
    at org.jvnet.hudson.maven3.launcher.Maven35Launcher.main (Maven35Launcher.java:130)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
    at jenkins.maven3.agent.Maven35Main.launch (Maven35Main.java:178)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at hudson.maven.Maven3Builder.call (Maven3Builder.java:139)
    at hudson.maven.Maven3Builder.call (Maven3Builder.java:70)
    at hudson.remoting.UserRequest.perform (UserRequest.java:211)
    at hudson.remoting.UserRequest.perform (UserRequest.java:54)
    at hudson.remoting.Request$2.run (Request.java:369)
    at hudson.remoting.InterceptingExecutorService$1.call (InterceptingExecutorService.java:72)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:617)
    at java.lang.Thread.run (Thread.java:745)
Caused by: org.apache.maven.plugin.MojoFailureException: Apigee network call error 401 Unauthorized
    at com.apigee.edge.config.mavenplugin.KVMMojo.doEnvUpdate (KVMMojo.java:242)
    at com.apigee.edge.config.mavenplugin.KVMMojo.execute (KVMMojo.java:354)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:134)
   
[ERROR] 
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

ssvaidyanathan

From the logs

Apigee network call error 401 Unauthorized<br>

Looks like its not passing through some authentication layer. Do you have a corporate proxy that you need to authenticate before hitting the Management server?

balajoshi1986

Between

Jenkins and SSO = yes (but proxy doesn't need any authentication). I have added sso in no proxy hosts but not sure if this maven plugin is using proxy to connect sso server. Otherwise Jenkins and sso can communicate without proxy. Jenkins slave and new edge ui are on the same server.

Jenkins and MS server = no

MS and SSO serve = no

is the configuration fine

ssvaidyanathan

I think Jenkins need to by pass the corporate proxy to hit the Management server. The quick way to check is just create a simple Jenkins job with a shell that executes a curl to hit the managment api with a hardcoded token in it. Just to test the connectivity

balajoshi1986

sure Sai, Just 10 mins

balajoshi1986

Started by user 
Rebuilds build #2
Running as SYSTEM
[EnvInject] - Loading node environment variables.
Building remotely on slave1 (deploy) in workspace /var/SP/data/jenkins/workspace/test-token
[test-token] $ /bin/sh -xe /tmp/jenkins1762089729505484771.sh
+ curl -I -H 'Authorization: Bearer <redacted>' http://ms-server/v1/organizations/apixdev
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed


  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
HTTP/1.1 200 OK
Date: Fri, 07 Aug 2020 15:31:10 GMT
Content-Type: application/json
X-Apigee.user:sso-machine-user
X-Apigee.organization: apixdev
X-Apigee.backends: management-server
Date: Fri, 07 Aug 2020 15:31:10 GMT
Content-Length: 0


Finished: SUCCESS
<br>

balajoshi1986

Hello Sai,

MS server is also in no proxy host list so jenkins doesn't need to use proxy server.

ssvaidyanathan

Thanks for checking - Please update the above post to redact the token 🙂

balajoshi1986

Thanks for the advice. 🙂 Is there anyway we can check if maven is using the token for management API call

ssvaidyanathan

Can you contact me directly. My profile has my email id on it.

ssvaidyanathan

In your call - Are you trying to generate a token outside and pass that to the job or you want the plugin to generate the token ?

balajoshi1986

As of now plugin is genrating the token. I tried with genrating the token outside and poplute the -Dbearer parameter but it was not successful.

ssvaidyanathan

Can you share the maven command how your Jenkins is calling it.. (from your Jenkins file)

balajoshi1986

Hello Sai,

It is a maven project, we are not using jenkinsfile, but, in one of the above code blocks I have shared the command jenkins is using.

ssvaidyanathan

you have shared the logs from the execution. And that log has the maven command called twice.. So please share the exact mvn command being executed

balajoshi1986

Maven command: Executing Maven: -B -f /var/SP/data/jenkins/workspace/myworkspace/repositoryname/pom.xml -B -X -Papixdev-dev -e clean install apigee-config:apiproducts apigee-config:developers apigee-config:apps apigee-config:maskconfigs

ssvaidyanathan

Hope you have space between the arguments in the MAVEN_OPTS

balajoshi1986

yes sir. :-). invalid opts will fail the job

ssvaidyanathan

Best is to get on a meeting and investigate this.

balajoshi1986

Hello Sai,

How can we arrange a meeting.

ssvaidyanathan

Send me an email - its in my profile

balajoshi1986

Hello Sai,

It is company setup. Is it possible if I will create a ticket and we can discuss over it.

ssvaidyanathan

No - this is not product related and they dont support the plugin.

I am from Apigee, Google and also author/maintain the Maven plugins. We can meet if you want to debug/investigate the issue.

For such issues, you can get help either through the community or opening a GitHub issue. You are following the correct process. Send me an email from your work email. We can work out a time and meet to check this out

balajoshi1986

Hello Sai,

I sent you an email from my corporate email id.

balajoshi1986

Hello Sai,

Thanks for the help.

Now authentication is working either way. i.e.

1. if we are configuring plugin to generate the token

Issue founded: URL was not complete. It should be like <sso ulr>/oauth/token

or ,

2. we are generating the token before maven plugin is being used.

Issue founded: There were double quotes in the token passed. While validating the token code was ignoring the quotes hence validation was successful but while using it for authentication double quotes were used.

Thanks again.

Take care.

ssvaidyanathan

Glad its sorted out. Token passed was the issue.

Please accept this answer