Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zowe JWT expiration time can be much longer than z/OSMF LPTA token expiration time #615

Closed
plavjanik opened this issue Apr 22, 2020 · 8 comments
Closed

Zowe JWT expiration time can be much longer than z/OSMF LPTA token expiration time #615

plavjanik opened this issue Apr 22, 2020 · 8 comments
Assignees
@taban03
Labels
bug Verified defect in functionality

Comments

@plavjanik
Copy link
Contributor

Describe the bug

Reported by @jordanCain on Slack:

I think I am seeing an issue with the apimlAuthenticationToken. It seems that my token is still valid when using the /gateway/auth/query endpoint but if I use the same token to call a z/osmf endpoint via the gateway I get 401? If I get a new apimlAuthenticationToken the zosmf endpoint works. I think this is something to do with the zosmf the ltpa the gateway is using becoming expired?

https://openmainframeproject.slack.com/archives/CC5UUL005/p1586358082094900

Steps to Reproduce

  1. Use z/OSMF that has shorted expiration time (e.g. 6 hours) than the APIML default time (24 hours).
  2. Get a Zowe JWT via /login
  3. Wait 6 hours
  4. Check it with /query
  5. Try to use it for z/OSMF via API gateway

Expected behavior

Zowe JWT token expiration time is not longer than z/OSMF expiration time - both /query and access to z/OSMF should fail after LTPA token is expired.

Zowe should determine the LTPA expiration automatically if possible. Otherwise, this should be explained in the documentation and the system programmer should be able to configure the Zowe JWT expiration time to match z/OSMF expiration time.

Details

  • Version and build number: latest released version at the time of opening
  • Test environment: Jordan Cain's environment
@plavjanik plavjanik added bug Verified defect in functionality new New issue that has not been worked on yet labels Apr 22, 2020
@jordanCain
Copy link
Contributor

Thanks for creating the issue, Expected behaviour is correct, let me know if I can help at all with this,

@taban03 taban03 added clarification Issue is being clarified in the discussion with the creator of the issue and removed new New issue that has not been worked on yet labels Apr 27, 2020
@jalel01 jalel01 added 20PI3 and removed 20PI2 labels Jun 1, 2020
@jalel01 jalel01 added help wanted and removed 20PI3 labels Jun 25, 2020
@jandadav jandadav removed the clarification Issue is being clarified in the discussion with the creator of the issue label Jul 27, 2020
@balhar-jakub balhar-jakub removed their assignment Jul 31, 2020
@balhar-jakub
Copy link
Member

Just a few remarks from looking a bit into the topic.
LTPA token default expiration time is 480 minutes. It seems that it is possible to set it up in the izu.ltpa.expiration property.
JWT token. First of all there are three configurable JWT related tokens.

I believe that JWT builder case is the one that we care about. In the documentation it states:
In the server_override.xml file, locate the following statement. Here, you can specify the elements and attributes that are used to build the JWT token.

which means that the server_override.xml file contain the actual value which can differ per instance and which can also differ from the expiration of the LTPA tokens.

The documentation related to the JWT token configuration is here: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.izua300/izuconfig_EnableJSONWebTokens.htm

In the documentation I didn't find any endpoint that will give us the information about the validity/expiration of the token.

@jordanCain Would it be possible to get the token from zOSMF on the startup and extract the expiration date in the Gateway?

@jordanCain
Copy link
Contributor

@balhar-jakub I'm not 100% sure i'm clear with that you're asking.

Are you suggesting that we the first time we get the token from z/OSMF we assume its expiration is the same as the default expiration? or we check the server_override.xml for the expiration time? and we then set the JWT to be the same? In this case we would have to assume the token from z/OSMF is newly created to ensure it's not already partially expired.

@balhar-jakub
Copy link
Member

@jordanCain Sorry for confusion. The process I had in mind looks like this:

  1. Start the API Mediation Layer
  2. Obtain a zOSMF JWT or LTPA token.
  3. Unwrap the information in the token to get the difference between the expiration and creation date
  4. Set the expiration time of the JWT tokens produced by the API ML to the time we found out in the step 3.

Does this clarify it?

@jordanCain
Copy link
Contributor

@balhar-jakub Yes that very clear thanks. As long as we can extract the expiration and creation time of the LTPA this sounds like a great solution.

@jalel01 jalel01 added 20PI3 and removed 20PI4 labels Aug 25, 2020
@balhar-jakub
Copy link
Member

@jordanCain Just some more information on what we found with @taban03.

In case zOSMF supports the JWT tokens, then the expiration works properly as the tokens are just reused.

The expiration case issue is happening when the zOSMF is in older version which doesn't support JWT and as such we can only use the LTPA token which we wrap into JWT provided by the API ML. There we have a default expiration of one day.

We propose to solve this issue by updating the default expiration time in the API ML to 8 hours which is default in the zOSMF and documenting the property to change the expiration time in case the user changed expiration of their LTPA token.

@balhar-jakub balhar-jakub mentioned this issue Aug 28, 2020
Merged
@balhar-jakub
Copy link
Member

It seems that the LTPA token decryption for retrieving the information depends on the extraction of the LTPA signing keys from the Liberty server, which doesn't really seems like worth it, as the amount of cases it affects is quite limited.

@taban03 taban03 mentioned this issue Aug 28, 2020
Merged
10 tasks
@balhar-jakub
Copy link
Member

With the merged PR and the change in the documentation we are closing this Issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@taban03 taban03

Labels
bug Verified defect in functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@balhar-jakub @jandadav @plavjanik @jordanCain @taban03 @jalel01