Orion context broker global instance token - fiware-orion

I want to publish some data on the Orion context broker global instance and I have requested a token as referred at Quick start guide. When I continue coding (java client) next day I got:
Exception in thread "main" com.sun.jersey.api.client.ClientHandlerException: java.net.SocketException: Unexpected end of file from server
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:155)
at com.sun.jersey.api.client.Client.handle(Client.java:652)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:509)
at publishers.fiware.OrionClient.getEntities(OrionClient.java:23)
at FiwareTest.main(FiwareTest.java:11)
Caused by: java.net.SocketException: Unexpected end of file from server
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:792)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:789)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1536)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:253)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153)
... 6 more
So I requested a new token and worked again.
A token generated that way has an expiration time? How much?
Do I have a way to get a non expiring token?

According with OpenStack Keystone default configuration, tokens expires after 1 hour:
http://docs.openstack.org/juno/config-reference/content/section_keystone.conf.html
# Amount of time a token should remain valid (in seconds).
# (integer value)
#expiration=3600
You can renew it by getting another one:
http://developer.openstack.org/api-ref/identity/v3/index.html?expanded=#token-authentication-with-unscoped-authorization
POST /v3/auth/tokens HTTP/1.1
Host: test.ttcloud.net:5001
Content-Type: application/json
X-Auth-Token: {{user-token}}
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "{{user-token}}"
}
}
}
}

Related

What does didn't find publicKey for kid error mean in Keycloak

What does didn't find publicKey for kid error mean in Keycloak
2021-07-24T09:36:22,992 INFO [http-nio-5555-exec-9] o.k.a.KeycloakDeployment: Loaded URLs from https://foo.baz.com/auth/realms/sso/.well-known/openid-configuration
2021-07-24T09:36:23,156 ERROR [http-nio-5555-exec-9] o.k.a.r.AdapterTokenVerifier: Didn't find publicKey for kid: a7GiJ8syCz3UYPMlVKmfWb9tfPYLxbz_j5xWOniokg8
2021-07-24T09:36:23,181 ERROR [http-nio-5555-exec-9] o.k.a.r.AdapterTokenVerifier: Didn't find publicKey for kid: a7GiJ8syCz3UYPMlVKmfWb9tfPYLxbz_j5xWOniokg8
2021-07-24T09:36:23,410 ERROR [http-nio-5555-exec-3] o.k.a.r.AdapterTokenVerifier: Didn't find publicKey for kid: a7GiJ8syCz3UYPMlVKmfWb9tfPYLxbz_j5xWOniokg8
2021-07-24T09:36:23,412 ERROR [http-nio-5555-exec-1] o.k.a.r.AdapterTokenVerifier: Didn't find publicKey for kid: a7GiJ8syCz3UYPMlVKmfWb9tfPYLxbz_j5xWOniokg8
2021-07-24T09:36:23,415 ERROR [http-nio-5555-exec-1] o.k.a.r.AdapterTokenVerifier: Didn't find publicKey for kid: a7GiJ8syCz3UYPMlVKmfWb9tfPYLxbz_j5xWOniokg8
2021-07-24T09:36:23,417 ERROR [http-nio-5555-exec-3] o.k.a.r.AdapterTokenVerifier: Didn't find publicKey for kid: a7GiJ8syCz3UYPMlVKmfWb9tfPYLxbz_j5xWOniokg8
The service is verifying the integrity of a JWT and it is failing.
The verification is done by recalculating the signature based on the JWT's header and body and comparing it with the signature that is presented in the JWT. If the calculated signature and the one that is in the JWT match, the JWT surely comes from the expected party and no 3rd party had modified it (although a 3rd party could see it!).
For generating the signature, in the case of the most common method, RS256, a key is required. This key should only be obtained from the issuer of the token to guarantee the correctness of the verification process. For this reason, the token only holds a reference id for that key in the kid field.
The default certs' URL in your case should be:
https://foo.baz.com/auth/realms/sso/protocol/openid-connect/certs
The response should hold a similar key array like the response of the Google's cert endpoint:
{
"keys": [
{
"kty": "RSA",
"alg": "RS256",
"e": "AQAB",
"n": "nQPB_WqGG18pjGSFGQwRLcZkcRojHHweN27mV1oTNeeH2quq5NvWibLEheiukVP60nXcGNpkP_PaycYahEfvAnJGLX_IscGAOJ67WWFs4M8wXHH6g2mTnalcAYgmpN1QDMVgz4NcWISXNTR-8FZfWgFN4LDZgK4f0wXOaJlh_Bzh-plPLJQUXyY7mZTEVsH8X3wg2fvV0Hxj_HudjgFlYPdDri1Oi4vI0wiKV4nJCRZ-INH3OIvPl-05WVjZ-XTSXdNjLNx35NM2Npcrr9VpZ8Xeg7pr0wjamqd_07xfEAdtFxsN6Ay6Ecz3k0onQP-6SLRCGLrMAxifziivmmafCQ",
"use": "sig",
"kid": "7f548f6708690c21120b0ab668caa079acbc2b2f"
},
{
"n": "psh4_fDTsNZ1JkC2BV6nsU7681neTu8D37bMwTzzT-hugnePDyLaR8a_2HnqJaABndr0793WQCkiDolIjX1wn0a6zTpdgCJL-vaFe2FqPg19TWsZ8O6oKZc_rtWu-mE8Po7RGzi9qPLv9FxJPbiGq_HnMUo0EG7J4sN3IuzbU--Wmuz8LWALwmfpE9CfOym8x5GdUzbDL1ltuC2zXCaxARDnPs6vKR6eW1MZgXqgQ6ZQO9FklH_b5WJYLBDmHAb6CguoeU-AozaoVrBHgkWoDkku7nMWoetULtgBP_tYtFM8zvJ9IDD6abZM0jl-bsHIm3XFz0MgAJ9FmPti9-iShQ",
"kty": "RSA",
"alg": "RS256",
"kid": "3df0a831e093fae1e24d77d47834405f95d17b54",
"e": "AQAB",
"use": "sig"
}
]
}
In a normal case, the kid from the JWT can be found in this response, so, with the value of the corresponding "n" field, the signature can be calculated. But in your case, the kid is not there.
Common problems in this case:
a new key was introduced in the keycloak realm and the kid is referencing the old one
the URL of the openid-configuration is not correct
there is a caching layer in front of keycloak, so the response of openid-configuration is not up to date
a compromised/3rd party modified token
refs: AdapterTokenVerifier
jwt.io

K6 Get reqeust result in error against specific endpoint URL

I am new to K6 and is trying to use the tool to perform a Get request by verifying an API.
When the script is executed I get a warning that terminates the scrip. As far as my understanding is that this error is somewhat related to Go (if I have understood it correctly).
The result that I want to achieve is to be able to execute the Get request to the endpoint URL, but would appreciate any kind of feedback if I have done any incorrectly or should try an other approach.
Script:
import http from "k6/http";
import { check } from "k6";
export default function () {
var url =
"https://endpoint.example.to.cloud/api/reports/v1/SMOKETESTC6KP6NWX";
var headerParam = {
headers: {
"Content-Type": "application/json",
},
};
const response = http.get(url, headerParam);
check(response, {
"Response status reciving a 200 response ": (r) => r.status === 200,
});
let body = JSON.parse(response.body);
}
Output:
WARN[0000] Request Failed error="Get \"https://endpoint.example.to.cloud/api/reports/v1/SMOKETESTC6KP6NWX\": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"
Changing URL endpoint:
If i change the URL endpoint (mockup url) like below, there will be no errors:
...
var url = "https://run.mocky.io/v3/16fa8113-57e0-4e47-99b9-b5c55da93d71";
...
Updated solution to run this locally:
In order to run this locally i had to add the certification and key:
Example:
export let options = {
...
tlsAuth: [
{
cert: open(`${__ENV.Certificate}`),
key: open(`${__ENV.Key}`),
},
],
};
In addition populate the execute command with --insecure-skip-tls-verify
Example:
k6 run -e Certificate=/home/cert/example_certification.crt -e Key=/home/cert/certification/example_key.key -e example.js --insecure-skip-tls-verify
k6 is written in Go, and the latest versions of Go have a breaking change in how they handle X.509 certificates: https://golang.org/doc/go1.15#commonname
As it says in the error message, you can temporarily allow the old behavior by setting a GODEBUG=x509ignoreCN=0 environment variable, but that will likely stop working in a few months with Go 1.17. Using the insecureSkipTLSVerify k6 option might also work, I haven't checked, but as the name implies, that stops any TLS verification and is insecure.
So the real solution is to re-generate your server-side certificate properly.

Drools stateful session per request

We are trying to use Drool as our rule engine service. What we done till now is listed below
Deployed workbench 7.2.Final
Deployed KIE server 7.2.0.Final
Configured some data objects, rules, deployed the changes to KIE server and we are able to execute the rule using rest API
Most of our requirements satisfied by stateless session (Give a set of data, execute the rule and return the data, that's it) . But using stateless we have to compromise many of the important features provided by Drools stateful session.
So we are trying to use stateful session per request. Which means the session should get disposed as soon as the request end. Also, parallel request should not interfere each other even if the session name is same
We found about container runtime strategy configuration (Workbench > Deploy > {any container} > Process Configuration > Runtime strategy)
But even after configure the container strategy to Per Request, it still behave same as Singleton (the session is not getting disposed after each request)
Few place we read it as, run time strategy only implemented in jBPM
The way we make request to KIE server is shown below
Request: POST {HOST}/kie-server/services/rest/server/containers/instances/TestRequest_1.0.4
{
"lookup": "ab-session", //stateful session
"commands": [
{
"insert": {
"out-identifier": "125",
"object": {
"com.myteam.testrequest.Product": {
"id": "123",
"name": "Hoo Hoo",
"count": 0
}
},
"return-object": "true"
}
},
{
"insert": {
"out-identifier": "126",
"object": {
"com.myteam.testrequest.Product": {
"id": "123",
"name": "Hoo Hoo",
"count": 0
}
},
"return-object": "true"
}
},
{"fire-all-rules": "hf2"}
]
}
We need help in achieving this requirement. Also, please help understand if we done something wrong
In kmodule.xml you may try to add "prototype" scope, because default is "singleton":
<ksession name="SessionName" type="stateful" default="false" clockType="realtime" scope="prototype"/>

wso2am API manager 2.1 publisher change-lifecycle issue

I deployed API Manager 2.1.0 and setup the api-import-export-2.1.0 war file described here. After importing my API endpoint by uploading a zip file the status=CREATED.
To actually publish the API I am calling the Publisher's change-lifecycle API but I am getting this exception:
TID: [-1234] [] [2017-07-06 11:11:57,289] ERROR
{org.wso2.carbon.apimgt.rest.api.util.exception.GlobalThrowableMapper}
- An Unknown exception has been captured by global exception mapper.
{org.wso2.carbon.apimgt.rest.api.util.exception.GlobalThrowableMapper}
java.lang.NoSuchMethodError:
org.wso2.carbon.apimgt.api.APIProvider.changeLifeCycleStatus(Lorg/wso2/carbon/apimgt/api/model/APIIdentifier;Ljava/lang/String;)Z
Any ideas on why?
I can get an access token (scope apim:api_view) and call this
:9443/api/am/publisher/v0.10/apis
to list the api's just fine.
I get a different acces_token (for scope: apim:api_publish) and then call
:9443/api/am/publisher/v0.10/apis/change-lifecycle
but get the above Exception. Here's the example:
[root#localhost] ./publish.sh
View APIs (token dc0c1497-6c27-3a10-87d7-b2abc7190da5 scope: apim:api_view)
curl -k -s -H "Authorization: Bearer dc0c1497-6c27-3a10-87d7-b2abc7190da5" https://gw-node:9443/api/am/publisher/v0.10/apis
{
"count": 1,
"next": "",
"previous": "",
"list": [
{
"id": "d214f784-ee16-4067-9588-0898a948bb17",
"name": "Health",
"description": "health check",
"context": "/api",
"version": "v1",
"provider": "admin",
"status": "CREATED"
}
] }
Publish API (token b9a31369-8ea3-3bf2-ba3c-7f2a4883de7d scope: apim:api_publish)
curl -k -H "Authorization: Bearer b9a31369-8ea3-3bf2-ba3c-7f2a4883de7d" -X POST https://gw-node:9443/api/am/publisher/v0.10/apis/change-lifecycle?apiId=d214f784-ee16-4067-9588-0898a948bb17&action=Publish
{
"code":500,
"message":"Internal server error",
"description":"The server encountered an internal error. Please contact administrator.",
"moreInfo":"",
"error":[]
}
Issue resolved. In apim 2.1 the publisher & store API versions changed.
In apim 2.0 I was using:
:9443/api/am/publisher/v0.10/apis
:9443/api/am/store/v0.10/apis
but in apim 2.1 they are:
:9443/api/am/publisher/v0.11/apis
:9443/api/am/store/v0.11/apis

Lua socket HTTP getting connection refused

I'm trying to create a function that creates an issue to a Github repository using Lua socket.http, but I'm getting connection refused everytime. The documentation for socket is a bit unclear and I couldn't find more helpful information on why is the request getting refused every time. I tried the following:
local config = {
token = "oauth token from github"
}
local http, ltn12 = require("socket.http"), require("ltn12")
local payload = '{"title": "Test", "body": "Test body", "labels": ["bug"]}'
local response, status, headers, line = http.request("https://api.github.com/repos/<username>/<repository>/issues?access_token=" .. config.token, payload)
So I checked again how to do and there is a second form to do a request. I'm trying the following:
local response = {}
local _, status, headers, line = http.request{
url = "https://api.github.com/repos/<username>/<repository>/issues",
sink = ltn12.sink.table(response),
method = "POST",
headers = {
["Authorization"] = "token " .. config.token,
["Content-Length"] = payload:len()
},
source = ltn12.source.string(payload)
}
According to socket documentation, this should make POST request to the URL sending the payload as body. If I print(status) it prints connection refused.
I'm ignoring the first return value as it always is 1.
I tried manually issuing the request using curl:
curl -H "Authorization: token <oauth token from github>" https://api.github.com/repos/<username>/<repository>/issues -XPOST -d '{"title": "Test", "body": "{"title": "Test", "body": "Test body", "labels": ["bug"]}'
And it posted the issue properly. I still can't figure it out what is happening that the connection is getting refused.