Config with both APIML and direct-connection profiles gets authentication errors

[gejohnston]

When both an APIML-controlled profile and a direct-to-service profile are both in a team config file, you can encounter an error which implies that you need an APIML token to connect to the direct-to-service profile.

This misbehavior occurs in both Zowe Explorer and Zowe CLI. A fix might be made to both of those repos, or in common code in imperative. I am opening this issue in imperative since the misbehavior applies to multiple products.

The configuration file contains the following profiles:

{
    "$schema": "./zowe.schema.json",
    "profiles": {
        "zosmf-lab": {
            "type": "zosmf",
            "properties": {
                "basePath": "/ibmzosmf/api/v1"
            }
        },
        "zosmf-dev": {
            "type": "zosmf",
            "properties": {
                "host": "Your.direct.host.name",
                "rejectUnauthorized": true,
                "port": 443
            },
            "secure": [
                "user",
                "password"
            ]
        },
        "base": {
            "type": "base",
            "properties": {
                "host": "Your.apiml.host.name",
                "port": 7554,
                "rejectUnauthorized": true,
                "tokenType": "apimlAuthenticationToken"
            },
            "secure": [
                "tokenValue"
            ]
        }
    },
    "defaults": {
        "zosmf": "zosmf-lab",
        "base": "base"
    },
    "autoStore": true
}

Zowe Explorer behavior

The error occurs when you login to APIML (but do not actually perform any action on a profile controlled by APIML), then login to a direct-to-service profile. The following sequence recreates the error:

• Remove secure Zowe/secure_config_props from Windows Credential Manager
• Control-Shift-P, Zowe Explorer: Refresh Zowe Explorer
• Right-Click APIML profile (zosmf-lab)
  • Select “Log in to Authentication Service”
  • Enter user and password
  • Take no further action with the APIML profile (zosmf-lab)
• Click the direct-to-service (zosmf-dev) profile's expand-contract-icon
  • Enter user and password
• Click the direct-to-service (zosmf-dev) magnifying glass icon
  • Enter dataset pattern
  • Press ENTER
  • You get the error:

    Your connection is no longer active. Please log in to an authentication service to restore the connection
    

  • Expected behavior:
    • The user and password for the direct service are used and datasets are displayed.
    • Or, at least an error message telling you a corrective action that you can take which will resolve the error. The current instructions do not fix the problem.

Zowe CLI behavior

With the same config, you get comparable results by taking the following actions.

• Remove secure Zowe/secure_config_props from Windows Credential Manager
• Run the command zowe auth login apiml
  • Answer the prompts and complete a successful APIML login.
• Run a command against the direct service: zowe zos-files list data-set "SYS1.PARMLIB*" --zosmf-p zosmf-dev
  • You get the following error:

    Command Error:
    This operation requires authentication.
    
    z/OSMF REST API Error:
    Rest API failure with HTTP(S) status 401
    
    Host:      Your.direct.host.name
    Port:      443
    Base Path:
    Resource:  /zosmf/restfiles/ds?dslevel=SYS1.PARMLIB*
    Request:   GET
    Headers:   [{"Accept-Encoding":"gzip"},{"X-IBM-Max-Items":"0"},{"X-CSRF-ZOSMF-HEADER":true}]
    Payload:   GET
    
    Error Details:
    Token is not valid or expired.
    

  • Expected behavior:
    • The user is prompted for the missing user name and password for the direct service profile and datasets are displayed.
    • Or, at least an error message telling you a corrective action that you can take which will resolve the error. The current error implies that your token is bad, but you should not use an APIML token for the direct service.

[t1m0thyj]

In Zowe CLI, the error details have been improved to say:

Token type "apimlAuthenticationToken" requires base path to be defined.

You must either connect with username and password or provide a base path.

In Zowe Explorer, this was fixed in zowe/zowe-explorer-vscode#2328
The new behavior is: "The user and password for the direct service are used and datasets are displayed."

Question: Should we make Zowe CLI and Explorer behave consistently for this case? Or is this issue good to close?

[t1m0thyj]

Closing for now. There are already a number of differences in behavior between CLI and ZE that are documented here: https://github.com/zowe/zowe-cli/blob/master/docs/How_config_files_are_merged.md