Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth token validation fails due to clock skew #757

Open
uwburn opened this issue Jan 29, 2024 · 4 comments
Open

OAuth token validation fails due to clock skew #757

uwburn opened this issue Jan 29, 2024 · 4 comments
Assignees
Labels
kind/bug Something isn't working. The software does not behave as expected or specified. scope/ce sovity's Open Source Community Edition task/analyze Need for investigation

Comments

@uwburn
Copy link

uwburn commented Jan 29, 2024

Bug Report

Description

Verification of OAuth token attached to requests fails due to skew between the verifying connector clock and the authorization server clock. This happens in particular if the authorization server clock is in the future in respect of the connector clock.

Expected Behavior

Connectors should be able to talk each other correctly, dealing with some amount of clock drift between connector and the authorization server.

Observed Behavior

Connectors experience errors in communication due to invalid tokens, e.g. exploring the catalog results in exception:

de.sovity.edc.utils.catalog.DspCatalogServiceException: {"@type":"dspace:CatalogError","dspace:code":"401","dspace:reason":"Token validation failed.","@context":{"dct":"https://purl.org/dc/terms/","edc":"https://w3id.org/edc/v0.0.1/ns/","dcat":"https://www.w3.org/ns/dcat/","odrl":"http://www.w3.org/ns/odrl/2/","dspace":"https://w3id.org/dspace/v0.8/"}}

Steps to Reproduce

Steps to reproduce the behavior:

  1. Verify authorization server clock to be slightly in the future (e.g. 1 second)
  2. Start from the example setup contained in docker-compose.yaml
  3. Ensure to use ce images
  4. Add configuration relevant to EDC OAuth + certificates for signing tokens and key aliases
  5. docker-compose up to start everything
  6. Open up the UI for one of the connectors
  7. Navigate to catalog browser
  8. See FAILED FETCHING CATALOG. error on the UI
  9. See error in the connector logs:
de.sovity.edc.utils.catalog.DspCatalogServiceException: 
{"@type":"dspace:CatalogError","dspace:code":"401","dspace:reason":"Token validation failed.","@context":{"dct":"https://purl.org/dc/terms/","edc":"https://w3id.org/edc/v0.0.1/ns/","dcat":"https://www.w3.org/ns/dcat/","odrl":"http://www.w3.org/ns/odrl/2/","dspace":"https://w3id.org/dspace/v0.8/"}}

Context Information

I have experienced this while trying to follow Productive Deployment Guide, using Keycloak as DAPS.

The error sparks from EDC Connector class org.eclipse.edc.iam.oauth2.rule.Oauth2ExpirationIssuedAtValidationRule, checks, at line 54 in particular, should take into account skew between connector's and auth server's clocks.

Looking at EDC Connector issues, it looks like this has been fixed by eclipse-edc/Connector#3728, which is included in v0.5.0, but sovity extensions is still on v0.2.1.

@uwburn uwburn added kind/bug Something isn't working. The software does not behave as expected or specified. scope/ce sovity's Open Source Community Edition task/analyze Need for investigation labels Jan 29, 2024
@tmberthold
Copy link
Contributor

Hello and thank you for opening the issue.

Yes, a colleague of ours (@richardtreier) has already addressed and fixed this in the core-edc and the fix was released with the core-edc version mentioned. In fact, we haven't migrated to this yet, I can only confirm that at this point.

I'll also link another colleague who takes care of planning our releases, maybe he can give a hint here when we'll migrate to the newer version of the core-edc v0.5.0 @AbdullahMuk .

@uwburn
Copy link
Author

uwburn commented Jan 29, 2024

Hello again, thank you for looking into the issue.

Knowing that using core-edc v0.5.0 is on the roadmap it's good news!

@AbdullahMuk
Copy link
Collaborator

@AbdullahMuk AbdullahMuk added the clean-backlog requires backlog cleaning label May 2, 2024
@SebastianOpriel SebastianOpriel removed the clean-backlog requires backlog cleaning label Oct 6, 2024
@SebastianOpriel
Copy link
Member

@efiege what is the status?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working. The software does not behave as expected or specified. scope/ce sovity's Open Source Community Edition task/analyze Need for investigation
Projects
None yet
Development

No branches or pull requests

5 participants