Performance: ELK logs full of "Jwt token with audience ... is not issued for these clientIds: ..." if multiple

[patrickmhaller]

Hi Team,

we do have multiple (two) XSUAA instances to verify inbound JWTs with, hence two XsuaaAudienceValidators with different configuration:

    @Bean
    public JwtDecoder getJwtDecoder()
    {
        UaaCredentials xxxApiUaaCredentials = xxxApiUaaCredentials();

        XsuaaAudienceValidator audienceValidator = new XsuaaAudienceValidator(xxxUaaConfig());
        audienceValidator.configureAnotherXsuaaInstance(xxxApiUaaCredentials.getXsAppName(),
                                                        xxxApiUaaCredentials.getClientId());
        return new XsuaaJwtDecoderBuilder(xxxUaaConfig()).withTokenValidators(audienceValidator).build();
    }

Hence, we get

1. JwtAudienceValidator with clientIds = [sb-xxx-api-sandbox123!b108, xxx-api-sandbox123!b108]
2. JwtAudienceValidator with clientIds = [sb-xxx-sandbox123!t108, xxx-sandbox123!t108]

The mechanism via AuthTokenDecoder.decodeAndValidate() → CombiningValidator→ JwtAudienceValidator looks functionally correct, but if the wrong validator is hit first, it always records a warning to ELK via ValidationResults.createInvalid() in any case.

In the context of multiple UAAs, could the either this particular logging case be relaxed or the algorithm changed to avoid the log flood?

Thanks, Patrick

[nenaraab]

Hi @patrickmhaller,

have you followed this guide: https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/spring-xsuaa/Migration_JavaContainerSecurityProjects.md#multiple-xsuaa-bindings

Then i'm not sure, whether there is an easy fix, because you have always two set of validators.

Can you please share with us, which xsuaa plans you make use of, and whether you are already productive or not.

Thanks!

[nenaraab]

Question whether this is related to this cloud sdk issue: https://github.wdf.sap.corp/MA/sdk/issues/3706

[TanviiG]

Hi Nena,

We (cloud SDK team) would like to get some insights related to the issue. Following are the questions:

• What are all the situations where the XSUAA JWT validation would fail?
• Is our assumption correct, that it would fail every time in case of multiple xsuaa service bindings ?

Regards, Tanvi

[nenaraab]

Hi @TanviiG

• What are all the situations where the XSUAA JWT validation would fail? --> pls. check this spec [SAP internal]
• Is our assumption correct, that it would fail every time in case of multiple xsuaa service bindings ?
  --> No, spring-xsuaa is the only lib that raises this error message and this can be bypassed by configuring another service as described here: https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/spring-xsuaa/Migration_JavaContainerSecurityProjects.md#multiple-xsuaa-bindings

[nenaraab]

remove the "bug" flag. as multiple XsuaaAudienceValidators should never exist. We had a similar issue, when one application was bound to two xsuaa instances of the same type (e.g. application). This is not supported.

[nenaraab]

The ticket is in status "Author Action" without any activity for 14 days or longer. Thus, closing the ticket. Please reopen if the issue is still relevant.