TokenIntrospector in multibox not working [BUG]

[MFAshby]

Describe the bug

Attempting to access a box instance inside multibox using a JWT issued from an external server fails with 401 Unauthorized.

Severity

Major

Steps to reproduce the behavior:

0. Have a server which can issue signed JWTs, e.g. keycloak.
1. Set up a box within a multibox instance
2. Add a TokenIntrospector resource to the box, ensuring the issuer and jwks_uri is set correctly.
3. Add a AccessPolicy to allow access to data for users providing a valid JWT.
4. Obtain an access token from the token server
5. Use the token in Authorization header to access a fhir resource e.g. /fhir/Patient

Expected behaviour: resource can be accessed.

Actual behaviour: 401 Unauthorized error is returned.

I have created a sample notebook reproducing the problem on aidbox.app:

https://aidbox.app/ExportedNotebook/55901d57-a224-4c1a-8bc3-45d0aac336f0

Screenshots

Versions:

• Aidbox image version:

  Hosted version at aidbox.app (selected stable, not edge) Problem is also reproducible with this image:

  # :latest, pinned on 29/03/22
  healthsamurai/multibox@sha256:cb5b3ec62a1b361943917aa666c198380069559ee154fc20b34d99ae321dcbd2

  Additional context

  Client secret available on request if you want to reproduce the issue using our server.

[MFAshby]

Something is missing from this bug report, as this is working in our pre-production environment with an older version

  # Version pinned 17.03.22 from :latest tag (Feb release)
  image = "healthsamurai/multibox@sha256:c723efa4c747de6020194baa11668330909d2a7d5c54ebbc7b97e77a12d49d56"

but using the same version in test still breaks.

[MFAshby]

OK, in my test environment, if I reboot aidbox after creating the TokenIntrospector, then I am able to authenticate with a JWT as expected, so I think there's some caching issue here.

I can produce a minimal reproduction environment if required.

[ApricotLace]

@MFAshby looks like you missed Content-type: text/yaml when creating your AccessPolicy resource.

Please, try reproduce your issue using:

PUT /AccessPolicy/test
Content-Type: text/yaml
Accept: text/yaml

engine: json-schema
schema:
  properties:
    jwt:
      required:
        - iss
      properties:
        iss:
          constant: 'https://keycloak.devstacks.pkb. io/auth/realms/pkb'
  required: jwt

Aidbox drops out request body when you not specify Content-Type header, and as a result you create empty AccessPolicy resource. We're discussing how to fix it.

[ApricotLace]

Also we're working on cache-reset operation.

[MFAshby]

Thanks @ApricotLace.

Now I created the AccessPolicy correctly, I can't reproduce the problem on aidbox.app. Creating / deleting the TokenIntrospector works as expected without any delay. So, this is only happening on multibox with the indicated docker images.

[MFAshby]

@ApricotLace thanks, a cache-reset operation would be extremely useful.

[MFAshby]

Hi @ApricotLace , I've tried the new cache reset api [1], but it's not resolving the problem with token-introspectors. A reboot of multibox container is still required before the token-introspector works as expected.

[1] https://docs.aidbox.app/api-1/cache

[Nesmeshnoy]

Hi @MFAshby, does it still affect you?

[MFAshby]

Hi @Nesmeshnoy , yes, the problem is still occurring.

Tried on latest :edge of multibox, tried clearing the cache with new multibox cache clear API [1] and also the $drop-cache operation [2], and the problem still occurs. Clients with a valid JWT will get a 401 Unauthorized response until I restart the multibox application. After restart, it's working.

[1] https://docs.aidbox.app/multibox/multibox-box-manager-api#multibox-drop-box-caches [2] https://docs.aidbox.app/api-1/cache#drop-cache-operation

[ApricotLace]

Hello, @MFAshby! Could you give us the credentials of a keycloak test client or a long-lived jwt-token with which we could reproduce this behavior?

[MFAshby]

Hi @ApricotLace I can do better, I have pulled out a subset of our test setup code and scripted reproduction of this bug. I hope this helps.

https://github.com/patientsknowbest/aidbox_501_repro

[mput]

@MFAshby Thank you for the setup. I doubt it would be possible for us to reproduce the bug without it.

Fixed version is available starting from healthsamurai/multibox:edge sha256:7bf72b76 , test it yourself please.

[MFAshby]

@mput thanks for getting to this!

I have checked the fix is working in :edge, do you know which next stable release might have this fix?

[Nesmeshnoy]

It will be available on June 2022 - v:2206 latest that will be released at the end of June. This release be promoted to stable after July 2022 - v:2207 latest will be released at the end of July.