token expiry

[alex-tw-lam]

I was using the passcode authentication flow and encounter the following:

1. cli doesn't automatically ask for token renewal when token expired.
2. apigee auth get-access-token doesn't automatically write to ~/.apigee/access_token. A manual update is required.

[mdelotavo]

Hi @alex-tw-lam

For passcode authentication flow, are you referring to MFA/SSO? If I recall correctly, apigee auth get-access-token is just for testing purposes and doesn't actually write to ~/.apigee/access_token. It generates an access token that you can use for other tools but isn't used by other commands to access the admin API. MFA authentication should automatically create a new token when expired, whereas SSO authentication should redirect your browser to the login page. These methods should automatically update the ~/.apigee/access_token file.

You should be able to run the following commands to quickly set up either MFA or SSO authentication for the default profile:

MFA:

apigee configure -P default -u MY_EMAIL -p MY_PASS -o MY_ORG -mfa MY_KEY -z '' --no-token --prefix ''

SSO:

apigee configure -P default -u MY_EMAIL -p none -o MY_ORG -mfa '' -z MY_ZONENAME --no-token --prefix ''

Let me know if this clears anything up. If it doesn't then it would be helpful if you could provide some details on how I could replicate your issue. I'm always on the lookout for new bugs : )

Also, just a bit of context: our organizations only use SSO authentication, so any bugs related to SSO would be highly appreciated. I believe basic authentication is fine, but we haven't used MFA authentication ever since we moved to SSO. So there might be some issues related to MFA auth I'm not aware of.

[alex-tw-lam]

I was referring to SAML SSO. It does the browser redirection for the first time, but do not redirect when the token is expired. I guess it’s because the access token file already exists. So I took the token generated from get-access-token and manually updated the file.

Alex

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: mdelotavo @.> Sent: Saturday, August 7, 2021 3:00:57 PM To: mdelotavo/apigee-cli @.> Cc: Alex Lam @.>; Mention @.> Subject: [EXTERNAL] Re: [mdelotavo/apigee-cli] token expiry (#3)

CAUTION This email is from an external sender, be cautious with links and attachments.

Hi @alex-tw-lamhttps://github.com/alex-tw-lam

For passcode authentication flow, are you referring to MFA/SSO? If I recall correctly, apigee auth get-access-token is just for testing purposes and doesn't actually write to ~/.apigee/access_token. It generates an access token that you can use for other tools but isn't used by other commands to access the admin API. MFA authentication should automatically create a new token when expired, whereas SSO authentication should redirect your browser to the login page. These methods should automatically update the ~/.apigee/access_token file.

You should be able to run the following commands to quickly set up either MFA or SSO authentication for the default profile:

MFA:

apigee configure -P default -u MY_EMAIL -p MY_PASS -o MY_ORG -mfa MY_KEY -z '' --no-token --prefix ''

SSO:

apigee configure -P default -u MY_EMAIL -p none -o MY_ORG -mfa '' -z MY_ZONENAME --no-token --prefix ''

Let me know if this clears anything up. If it doesn't then it would be helpful if you could provide some details on how I could replicate your issue. I'm always on the lookout for new bugs : )

Also, just a bit of context: our organizations only use SSO authentication, so any bugs related to SSO would be highly appreciated. I believe basic authentication is fine, but we haven't used MFA authentication ever since we moved to SSO. So there might be some issues related to MFA auth I'm not aware of.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/mdelotavo/apigee-cli/issues/3#issuecomment-894616059, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARMWXH34ARSEPEHYQ5TAXMLT3TK2TANCNFSM5BVBJS5A.

STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please: (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of this message and any attachments.

[mdelotavo]

@alex-tw-lam ohh ok. The fact that the browser redirection works the first time is a good sign. The expected behaviour when the token expires is that the browser should redirect you again. If this is not happening, then I think I can narrow down the cause of the issue. Firstly, when you attempt to log in, are there any error messages (~/.apigee/exception.log might have logged something)? If there is an issue with SSO, the CLI will probably display an error message that might help with debugging. If there are no error messages, I might be able to figure it out if you can send me some console output of your testing that demonstrates possible issues with the SSO login.

[alex-tw-lam]

The expected behaviour when the token expires is that the browser should redirect you again. If this is not happening, then I think I can narrow down the cause of the issue.

The browser redirection didn't happen. I was running on a MAC and here are the output.

Command line:

> apigee apis list 
An exception of type jwt.api_jwt.ExpiredSignatureError occurred. Arguments:
Signature has expired

Content of log file:

> cat ~/.apigee/exception.log
2021-08-13 10:09:29,233 - root - ERROR - Exception occurred
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/apigee/exceptions.py", line 23, in wrapper
    result = func(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/apigee/__main__.py", line 118, in main
    cli(prog_name=CMD, obj={})
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/apigee/apis/commands.py", line 210, in list
    console.echo(_list_api_proxies(*args, **kwargs))
  File "/usr/local/lib/python3.9/site-packages/apigee/apis/commands.py", line 197, in _list_api_proxies
    return Apis(gen_auth(username, password, mfa_secret, token, zonename), org).list_api_proxies(
  File "/usr/local/lib/python3.9/site-packages/apigee/apis/apis.py", line 144, in list_api_proxies
    hdrs = auth.set_header(self._auth, headers={'Accept': 'application/json'})
  File "/usr/local/lib/python3.9/site-packages/apigee/auth.py", line 293, in set_header
    decoded = jwt.decode(
  File "/Users/lamtowa/Library/Python/3.9/lib/python/site-packages/jwt/api_jwt.py", line 104, in decode
    self._validate_claims(payload, merged_options, **kwargs)
  File "/Users/lamtowa/Library/Python/3.9/lib/python/site-packages/jwt/api_jwt.py", line 134, in _validate_claims
    self._validate_exp(payload, now, leeway)
  File "/Users/lamtowa/Library/Python/3.9/lib/python/site-packages/jwt/api_jwt.py", line 175, in _validate_exp
    raise ExpiredSignatureError('Signature has expired')
jwt.exceptions.ExpiredSignatureError: Signature has expired

[mdelotavo]

Ah, I see. The log confirms that I probably need to check the PyJWT expiration time verification option. I'll have to release a quick patch for that. I'll let you know once it's up : )

[mdelotavo]

Hi @alex-tw-lam, sorry for the wait. I pushed a small fix in the latest version of the CLI. Let me know if it helps. I am unable to replicate your issue from my local machine so I can't be too sure...

[alex-tw-lam]

It's working as expected. A browser popped up bringing me to the passcode endpoint. Thanks, @@.***>!

---

From: mdelotavo @.> Sent: 16 August 2021 14:24 To: mdelotavo/apigee-cli @.> Cc: Alex Lam @.>; Mention @.> Subject: [EXTERNAL] Re: [mdelotavo/apigee-cli] token expiry (#3)

CAUTION This email is from an external sender, be cautious with links and attachments.

Hi @alex-tw-lamhttps://github.com/alex-tw-lam, sorry for the wait. I pushed a small fix in the latest version of the CLI. Let me know if it helps. I am unable to replicate your issue from my local machine so I can't be too sure...

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/mdelotavo/apigee-cli/issues/3#issuecomment-899255948, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARMWXH4SP24LRXTGS2JNBATT5CVJPANCNFSM5BVBJS5A.

STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please: (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of this message and any attachments.

[mdelotavo]

Awesome. Thanks for bringing the issue to my attention. Hopefully, it stays fixed 😅 .