Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT expired in Eclipse Che after upgrading from 2023.10.7 to 2024.2.2 #8834

Closed
jejbq opened this issue Mar 7, 2024 · 2 comments · May be fixed by #8887
Closed

JWT expired in Eclipse Che after upgrading from 2023.10.7 to 2024.2.2 #8834

jejbq opened this issue Mar 7, 2024 · 2 comments · May be fixed by #8887
Labels
wontfix

Comments

@jejbq
Copy link

jejbq commented Mar 7, 2024
edited
Loading

Hello,

Is it possible that the following modification to authentik/crypto/apps.py will generate a JWT expired exception in Eclipse Che?

Is it possible that there has been a typing error and that one of the TWO not_valid_after_utc should be in fact not_valid_before_utc?

authentik/crypto/apps.py

-            now < cert.certificate.not_valid_before or now > cert.certificate.not_valid_after
+            now < cert.certificate.not_valid_after_utc or now > cert.certificate.not_valid_after_utc

Related to events: fix SystemTask timestamps and scheduling (https://github.com/goauthentik/authentik/pull/8435)

Eclipse Che Java exceptions after moving from 2023.10.7 to 2024.2.2

HTTP Status 500Internal Server Error

Type Exception Report

Message JWT expired at 2024-03-07T12:37:30Z. Current time: 2024-03-07T12:48:34Z, a difference of 661493 milliseconds. Allowed clock skew: 3000 milliseconds.

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

io.jsonwebtoken.ExpiredJwtException: JWT expired at 2024-03-07T12:37:30Z. Current time: 2024-03-07T12:48:34Z, a difference of 661493 milliseconds.  Allowed clock skew: 3000 milliseconds.
	io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:448)
	io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:550)
	io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:610)
	io.jsonwebtoken.impl.ImmutableJwtParser.parseClaimsJws(ImmutableJwtParser.java:173)
	org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.processToken(OidcTokenInitializationFilter.java:80)
	org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:127)
	org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
	com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
	com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)

Note The full stack trace of the root cause is available in the server logs.
Apache Tomcat/10.1.6

Thanks.

Originally posted by @jejbq in #8435 (comment)
@jejbq
Copy link
Author

jejbq commented Mar 7, 2024
edited
Loading

Another backtrace of Eclipse Che after our Authentik upgrade to 2024.2.2

HTTP Status 500Internal Server Error

Type Exception Report

Message JWT expired at 2024-03-06T14:12:53Z. Current time: 2024-03-06T15:43:45Z, a difference of 5449154 milliseconds. Allowed clock skew: 3000 milliseconds.

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

io.jsonwebtoken.ExpiredJwtException: JWT expired at 2024-03-06T14:12:53Z. Current time: 2024-03-06T15:43:45Z, a difference of 5449154 milliseconds.  Allowed clock skew: 3000 milliseconds.
    io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:448)
    io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:550)
    io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:610)
    io.jsonwebtoken.impl.ImmutableJwtParser.parseClaimsJws(ImmutableJwtParser.java:173)
    org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.processToken(OidcTokenInitializationFilter.java:80)
    org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:127)
    org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
    com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
    com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)

Note The full stack trace of the root cause is available in the server logs.
Apache Tomcat/10.1.6

This is a workaround in Kubernetes for Eclipse Che, otherwise we need to roll Authentik back to version 2023.10.7 until this issue is resolved: eclipse-che/che#22765

@jejbq jejbq mentioned this issue Mar 12, 2024
Open
jejbq added a commit to jejbq/authentik that referenced this issue Mar 12, 2024
@jejbq
Fixed a typo in authentik/crypto/apps.py and use same now in test.py …
eebadd5 
…(related to issue goauthentik#8834 and pull goauthentik#8435)
@jejbq jejbq mentioned this issue Mar 12, 2024
Draft
@authentik-automation
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@authentik-automation authentik-automation bot closed this as not planned Won't fix, can't repro, duplicate, stale May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

crypto: fix type in managed JWT Cert reconciliation jejbq/authentik
1 participant
@jejbq