Closed dennygee closed 2 years ago
@dennygee Which of the two services is setting SAP_JWT_TRUST_ACL
?
Additionally, it would be meaningful to understand a bit better how the first message Error in offline validation of access token: JWT is expired, result code 5
is generated. To this end, it would be useful if your client application could log the JWT. You can then decode the JWT and look at the exp
claim, which encodes the expiration date.
From the error message, it seems that your application is sending an expired JWT. It would be useful to understand if this is indeed the case.
Hi Michael,
Thanks for the comment.
SAP_JWT_TRUST_ACL
. Hi Michael,
Below are the logs where we get the "token expired error"
Oct 13, 2020 @ 12:00:03.162 | ca-api-core-integration | ea740b64-747d-448d-52db-f51fe7d0f784 | DEBUG | sap.xssec.security_context | Application received a token with exp: 1602608469
Oct 13, 2020 @ 12:00:03.286 | ca-api-core-integration | 1c56a5a3-1082-4848-7440-cbdc5821a05e | WARNING | sap.xssec.security_context | Warning: Could not validate key: Error in offline validation of access token: JWT is expired, result code 5 Will retry with configured key.
so if you observe the line "Application received a token with exp: 1602608469"
here when i convert the exp time using epoch, i can still see that the token is still valid. but is says "JWT expired" , can you give you points here.
Very interesting.
Can you enable debug logging or the sapjwt library? As per https://github.com/SAP-samples/cloud-sapjwt#error-situations you can use the following environment variables:
SAP_EXT_TRC=stdout
SAP_EXT_TRL=3
Hi Michael,
Let me drop you an email for the logs we retrieved (as it might contains sensitive data to be display here).
Hi Team,
We have a client application that encountered OAuth failure for one particular API service intermittently when we run a schedule job, let me describe.
SAP_JWT_TRUST_ACL
environment variable for identityzone and clientid.What we observed:
These logs appeared during the failure of API Service 2:
Questions:
SAP_JWT_TRUST_ACL
. Each endpoint does nothing but the library authentication method, and returning "OK" response. Is there some "cached" setting internally that is triggered by this variable?We do not think this is a problem with the XSUAA service because, if it was related to the service, then we expect that both API calls would have failed. Here, we really seek your help to troubleshoot this issue. We have customers who faced this intermittent issue as well, and initially we also classified as corner case, but as we onboard more customers, we are starting to see more frequencies of the reported problem, which is why we are running a troubleshooting session now and we have to report back to the customers.
Thank you.