Not Authenticated Error from Broker in IDS testbed: reason=https://w3id.org/idsa/code/NOT_AUTHENTICATED

[parwinderau]

Dear Team,

I am using the IDS testbed for education and research purposes. After docker-compose-up, I am not able to register the connector over broker and receiving the error response -- https://w3id.org/idsa/code/NOT_AUTHENTICATED . Could you please help? Steps executed:

• git clone https://github.com/International-Data-Spaces-Association/IDS-testbed.git
  • Fixed the docker-compose.yml for versioning
  • Fixed the ngnix.conf for omejdn service failing to instantiate
  • Did the connector A related Pre-configuration request from Postman successfully.
  • All certificates used default.
  • Request from Postman:

{{DSC-Provider-URL}}/api/ids/connector/update?recipient={{BROKER}}

Response received over Postman: { "details": { "reason": { "properties": null, "@id": "https://w3id.org/idsa/code/NOT_AUTHENTICATED" }, "payload": "Error verifying token.", "type": "de.fraunhofer.iais.eis.RejectionMessageImpl" }, "message": "Received unexpected response message." }

============================================================

azureuser@IDSConnector:~/IDS-testbed$ docker-compose ps

============Status of dockers=========================================== Name Command State Ports

broker-core /run.sh Up 8080/tcp broker-fuseki /docker-entrypoint.sh /jen ... Up 3030/tcp broker-reverseproxy /docker-entrypoint.sh ngin ... Up 0.0.0.0:444->443/tcp,:::444->443/tcp, 0.0.0.0:81->80/tcp,:::81->80/tcp connectora java org.springframework.b ... Up 29292/tcp, 0.0.0.0:8080->8080/tcp,:::8080->8080/tcp connectorb java org.springframework.b ... Up 29292/tcp, 8080/tcp, 0.0.0.0:8081->8081/tcp,:::8081->8081/tcp omejdn /docker-entrypoint.sh ngin ... Up 0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:80->80/tcp,:::80->80/tcp omejdn-server ruby omejdn.rb Up 4567/tcp omejdn-ui /bin/bash ./docker-entrypo ... Up 80/tcp postgresa-container docker-entrypoint.sh postgres Up 0.0.0.0:5432->5432/tcp,:::5432->5432/tcp postgresb-container docker-entrypoint.sh postgres Up 0.0.0.0:5433->5432/tcp,:::5433->5432/tcp

====================================================================== connectora | 2024-04-23T10:09:55,640 [https-jsse-nio-8080-exec-5] INFO - Initializing Servlet 'dispatcherServlet' connectora | 2024-04-23T10:09:55,647 [https-jsse-nio-8080-exec-5] INFO - Completed initialization in 5 ms connectorb | 2024-04-23T10:10:44,258 [scheduling-1] INFO - Scanning agreements... connectora | 2024-04-23T10:10:44,678 [scheduling-1] INFO - Scanning agreements... omejdn-server | 172.23.0.3 - - [23/Apr/2024:10:11:30 +0000] "POST /token HTTP/1.1" 200 1625 0.0143 omejdn | 172.23.0.11 - - [23/Apr/2024:10:11:30 +0000] "POST /auth/token HTTP/1.1" 200 1625 "-" "okhttp/4.10.0" "-" connectora | 2024-04-23T10:11:30,923 [https-jsse-nio-8080-exec-7] INFO - Successfully received DAT from DAPS. [code=(IMSCOI0054)] connectora | 2024-04-23T10:11:31,180 [https-jsse-nio-8080-exec-7] INFO - Successfully loaded Keystore. [code=(IMSCOI0049)] connectora | 2024-04-23T10:11:31,308 [https-jsse-nio-8080-exec-7] INFO - Successfully loaded Truststore. [code=(IMSCOI0049)] connectora | 2024-04-23T10:11:31,339 [https-jsse-nio-8080-exec-7] INFO - Using cached DAPS DAT. [expiration=(2024-04-23T11:11:30.000+0000), code=(IMSCOI0053)] connectora | 2024-04-23T10:11:31,562 [https-jsse-nio-8080-exec-7] INFO - Sending request to https://broker-reverseproxy/infrastructure ... [code=(IMSMEI0065)] broker-core | Apr 23, 2024 10:11:32 AM org.apache.catalina.core.ApplicationContext log broker-core | INFO: Initializing Spring DispatcherServlet 'dispatcherServlet' broker-core | 10:11:32.168 [http-nio-8080-exec-1] INFO org.springframework.web.servlet.DispatcherServlet - Initializing Servlet 'dispatcherServlet' broker-core | 10:11:32.190 [http-nio-8080-exec-1] INFO org.springframework.web.servlet.DispatcherServlet - Completed initialization in 21 ms omejdn-server | 172.23.0.3 - - [23/Apr/2024:10:11:37 +0000] "POST /token HTTP/1.1" 200 1620 0.0135 omejdn | 172.23.0.7 - - [23/Apr/2024:10:11:37 +0000] "POST /auth/token HTTP/1.1" 200 1620 "-" "okhttp/3.12.1" "-" broker-reverseproxy | 172.23.0.11 - - [23/Apr/2024:10:11:39 +0000] "POST /infrastructure HTTP/1.1" 200 2968 "-" "okhttp/4.10.0" connectora | 2024-04-23T10:11:39,997 [https-jsse-nio-8080-exec-7] INFO - Successfully received response to request. [code=(IMSMEI0067)] connectora | 2024-04-23T10:11:40,036 [https-jsse-nio-8080-exec-7] INFO - Initializing SHACL shapes. connectora | 2024-04-23T10:11:40,038 [https-jsse-nio-8080-exec-7] INFO - Loading SHACL shapes from resources. You can optionally download the latest shapes from GitHub. connectora | 2024-04-23T10:11:42,402 [https-jsse-nio-8080-exec-7] INFO - Loading ontology from resources connectora | 2024-04-23T10:11:42,607 [https-jsse-nio-8080-exec-7] INFO - Initialization of SHACL shapes complete. connectora | 2024-04-23T10:11:42,710 [https-jsse-nio-8080-exec-7] INFO - Successfully passed SHACL-Validation. [code=(IMSMEI0064)] connectora | 2024-04-23T10:11:42,816 [https-jsse-nio-8080-exec-7] DEBUG - Received unexpected response message. [response=({reason=https://w3id.org/idsa/code/NOT_AUTHENTICATED, payload=Error verifying token., type=class de.fraunhofer.iais.eis.RejectionMessageImpl})] connectorb | 2024-04-23T10:11:44,262 [scheduling-1] INFO - Scanning agreements... connectora | 2024-04-23T10:11:44,681 [scheduling-1] INFO - Scanning agreements... connectorb | 2024-04-23T10:12:44,267 [scheduling-1] INFO - Scanning agreements... connectora | 2024-04-23T10:12:4

[jfernandezsqs]

Dear @parwinderau,

Please, verify that all components are up and running and that there is no exit code at deployment when executing the docker-compose.yml file.

Please, try to execute the Postman call Validating Preconfigured Setup: Interaction between Connectors to check connector to connector interoperability, so that it can be checked if it is a problem with the Metadata Broker or indeed is there something wrong with the deployment of the DAPS. In case of error, looking at the logs between connectors will give you more information about the reason of the failure.

Could you please detail the environment in which you are encountering this issue? Could you please share the docker-compose.yml and the nginx.conf for omejdn service fixes you have made?

[parwinderau]

I found that variable ${OMEJDN_PATH} is creating issue sometime. So I have substituted directly the values. I fixed it and now it is running fine.

Here is the final version of ngnix.conf which I fixed in my case:

server { listen 443 ssl default_server; listen [::]:443 ssl default_server ; server_name ${OMEJDN_DOMAIN};

ssl_certificate /etc/nginx/daps.cert; ssl_certificate_key /etc/nginx/daps.key;

proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https;

Proxy to Omejdn

location /auth {

location /auth {

rewrite ${OMEJDN_PATH}/(.*) /$1 break;

rewrite /auth/(.*) /$1  break;
proxy_pass         http://omejdn-server:4567;
proxy_redirect     off;

}

Proxy to the Admin UI

location /${UI_PATH} {

location / {

rewrite ${UI_PATH}/(.*) /$1 break;

rewrite /(.*) /$1  break;
proxy_pass         http://omejdn-ui;
proxy_redirect     off;

}

Well-Known URIs

location /.well-known {

RFC 8414 style metadata document and compatibility backup

 ###### rewrite /\.well-known/oauth-authorization-server${OMEJDN_PATH} ${OMEJDN_PATH}/.well-known/oauth-authorization-server last;
 ######rewrite /\.well-known/openid-configuration${OMEJDN_PATH}       ${OMEJDN_PATH}/.well-known/openid-configuration       last;
 ######rewrite /\.well-known/jwks.json                                ${OMEJDN_PATH}/jwks.json                              last;
rewrite /\.well-known/oauth-authorization-server/auth /auth/.well-known/oauth-authorization-server last;
rewrite /\.well-known/openid-configuration/auth       /auth/.well-known/openid-configuration       last;
rewrite /\.well-known/jwks.json                                /auth/jwks.json                              last;

Webfinger

rewrite /.well-known/webfinger ${OMEJDN_PATH}/.well-known/webfinger last;

rewrite /\.well-known/webfinger                                /auth/.well-known/webfinger                  last;

} }

Redirect Legacy HTTP Traffic

server { listen 80 default_server; listen [::]:80 default_server; servername ; return 301 https://$host$request_uri; }

And the docker-compose.yml

---

version: '3.0' services: omejdn: image: nginx:1.25.3 container_name: omejdn ports:

• 80:80
• 443:443
  environment:
• OMEJDN_DOMAIN=${OMEJDN_DOMAIN}
• OMEJDN_PATH=${OMEJDN_PATH}
• UI_PATH=${UI_PATH} volumes:
• ./DAPS/nginx.conf:/etc/nginx/templates/default.conf.template
• ./DAPS/keys/TLS/daps.cert:/etc/nginx/daps.cert
• ./DAPS/keys/TLS/daps.key:/etc/nginx/daps.key networks:

• local

  omejdn-server: image: ghcr.io/fraunhofer-aisec/omejdn-server:${OMEJDN_VERSION} container_name: omejdn-server environment:

• OMEJDN_ISSUER=${OMEJDN_ISSUER}
• OMEJDN_FRONT_URL=${OMEJDN_ISSUER}
• OMEJDN_OPENID=true
• OMEJDN_ENVIRONMENT=${OMEJDN_ENVIRONMENT}
• OMEJDN_ACCEPT_AUDIENCE=idsc:IDS_CONNECTORS_ALL
• OMEJDN_DEFAULT_AUDIENCE=idsc:IDS_CONNECTORS_ALL
• OMEJDN_ADMIN=${ADMIN_USERNAME}:${ADMIN_PASSWORD} volumes:
• ./DAPS/config:/opt/config
• ./DAPS/keys:/opt/keys networks:

• local

  omejdn-ui: image: ghcr.io/fraunhofer-aisec/omejdn-ui:${UI_VERSION} container_name: omejdn-ui environment:

• OIDC_ISSUER=${OMEJDN_ISSUER}
• API_URL=${OMEJDN_ISSUER}/api/v1
• CLIENT_ID=adminUI networks:

• local

  Add the PostgreSQL container to be used by DataspaceConnectorA and DataspaceConnectorB

  postgresa: image: postgres:13 container_name: 'postgresa-container' ports:

• "5432:5432" environment:
• POSTGRES_USER=postgresusera
• POSTGRES_PASSWORD=password
• POSTGRES_DB=connectoradb volumes:
• connector-dataa:/var/lib/postgresql/data networks:

• local

  postgresb: image: postgres:13 container_name: 'postgresb-container' ports:

• "5433:5432" environment:
• POSTGRES_USER=postgresuserb
• POSTGRES_PASSWORD=password
• POSTGRES_DB=connectorbdb volumes:
• connector-datab:/var/lib/postgresql/data networks:

• local

  connectora: image: ghcr.io/international-data-spaces-association/dataspace-connector:8.0.2 container_name: connectora ports:

• 8080:8080 environment:
• CONFIGURATION_PATH=/config/config.json
• DAPS_URL=https://omejdn
• DAPS_TOKEN_URL=https://omejdn/auth/token
• DAPS_KEY_URL=https://omejdn/auth/jwks.json
• DAPS_INCOMING_DAT_DEFAULT_WELLKNOWN=/jwks.json
• SERVER_SSL_KEY-STORE=file:///conf/connectorA.p12

  Define the PostgreSQL setup

• SPRING_DATASOURCE_URL=jdbc:postgresql://postgresa:5432/connectoradb
• SPRING_DATASOURCE_PLATFORM=postgres
• SPRING_DATASOURCE_DRIVERCLASSNAME=org.postgresql.Driver
• SPRING_DATASOURCE_USERNAME=postgresusera
• SPRING_DATASOURCE_PASSWORD=password
• SPRING_JPA_DATABASE_PLATFORM=org.hibernate.dialect.PostgreSQLDialect volumes:
• ./DataspaceConnectorA/conf/config.json:/config/config.json
• ./DataspaceConnectorA/conf/connectorA.p12:/conf/connectorA.p12
• ./DataspaceConnectorA/conf/truststore.p12:/config/truststore.p12 networks:
• local depends_on:

• postgresa

  connectorb: image: ghcr.io/international-data-spaces-association/dataspace-connector:8.0.2 container_name: connectorb ports:

• 8081:8081 environment:
• CONFIGURATION_PATH=/config/config.json
• SERVER_PORT=8081
• DAPS_URL=https://omejdn
• DAPS_TOKEN_URL=https://omejdn/auth/token
• DAPS_KEY_URL=https://omejdn/auth/jwks.json
• DAPS_INCOMING_DAT_DEFAULT_WELLKNOWN=/jwks.json
• SERVER_SSL_KEY-STORE=file:///conf/connectorB.p12

  Define the PostgreSQL setup

• SPRING_DATASOURCE_URL=jdbc:postgresql://postgresb:5432/connectorbdb
• SPRING_DATASOURCE_USERNAME=postgresuserb
• SPRING_DATASOURCE_PASSWORD=password
• SPRING_DATASOURCE_PLATFORM=postgres
• SPRING_DATASOURCE_DRIVERCLASSNAME=org.postgresql.Driver
• SPRING_JPA_DATABASE_PLATFORM=org.hibernate.dialect.PostgreSQLDialect volumes:
• ./DataspaceConnectorB/conf/config.json:/config/config.json
• ./DataspaceConnectorB/conf/connectorB.p12:/conf/connectorB.p12
• ./DataspaceConnectorB/conf/truststore.p12:/config/truststore.p12 networks:
• local depends_on:

• postgresb

  broker-reverseproxy: image: registry.gitlab.cc-asp.fraunhofer.de/eis-ids/broker-open/reverseproxy container_name: broker-reverseproxy volumes:

• ./MetadataBroker/server.crt:/etc/cert/server.crt
• ./MetadataBroker/server.key:/etc/cert/server.key ports:
• "444:443" # IDS-HTTP API
• "81:80" networks:

• local

  broker-core: image: idstestbed/metadatabroker-core:5.0.3 container_name: broker-core volumes:

• ./MetadataBroker/isstbroker-keystore.jks:/etc/cert/isstbroker-keystore.jks environment:
• SPARQL_ENDPOINT=http://broker-fuseki:3030/connectorData
• ELASTICSEARCH_HOSTNAME=broker-elasticsearch
• SHACL_VALIDATION=true
• DAPS_VALIDATE_INCOMING=true
• COMPONENT_URI=https://broker-reverseproxy/
• COMPONENT_CATALOGURI=https://broker-reverseproxy/connectors/
• DAPS_URL=https://omejdn/auth/token expose:
• "8080" networks:

• local

  broker-fuseki: image: registry.gitlab.cc-asp.fraunhofer.de/eis-ids/broker-open/fuseki container_name: broker-fuseki volumes:

• broker-fuseki:/fuseki expose:
• "3030" networks:
• local

volumes: broker-fuseki: {} connector-dataa: {} connector-datab: {}

networks: local: driver: bridge

There are some changes related to the Postman also which I can push the changes in repository also, if you wish too.

[jfernandezsqs]

Great to hear that you have solved the issue and thanks for sharing your nginx.conf and the docker-compose.yml files.

Regarding your Postman collection, please share in this open issue the modifications you have made to the IDS-testbed Postman collection.

[jfernandezsqs]

This issue should be fixed with pull request #143. Therefore, I close this issue.