Open marcogreiveldinger opened 1 year ago
Hi, no, I don't have idea what happens, but let me look at this to find out.
Here the error is complete:
jvm 1 | 2023-02-17 13:15:00,354 ERROR [qtp2084854285-54] p.c.g.a.k.c.g.a.k.KeycloakPlugin:127 [plugin-cd.go.authorization.keycloak] - Error while executing request go.cd.authorization.authenticate-user
jvm 1 | java.lang.RuntimeException: Api call to `/auth/realms/master/protocol/openid-connect/userinfo` failed with error: `{"error":"invalid_token","error_description":"Token verification failed"}`
jvm 1 | at cd.go.authorization.keycloak.KeycloakApiClient.executeRequest(KeycloakApiClient.java:149)
jvm 1 | at cd.go.authorization.keycloak.KeycloakApiClient.userProfile(KeycloakApiClient.java:135)
jvm 1 | at cd.go.authorization.keycloak.executors.UserAuthenticationRequestExecutor.execute(UserAuthenticationRequestExecutor.java:59)
jvm 1 | at cd.go.authorization.keycloak.requests.Request.execute(Request.java:47)
jvm 1 | at cd.go.authorization.keycloak.KeycloakPlugin.handle(KeycloakPlugin.java:71)
jvm 1 | at com.thoughtworks.go.plugin.infra.DefaultPluginManager.lambda$submitTo$0(DefaultPluginManager.java:134)
jvm 1 | at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.executeActionOnTheService(FelixGoPluginOSGiFramework.java:208)
jvm 1 | at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.doOn(FelixGoPluginOSGiFramework.java:164)
jvm 1 | at com.thoughtworks.go.plugin.infra.DefaultPluginManager.submitTo(DefaultPluginManager.java:131)
jvm 1 | at com.thoughtworks.go.plugin.access.PluginRequestHelper.submitRequest(PluginRequestHelper.java:49)
jvm 1 | at com.thoughtworks.go.plugin.access.authorization.AuthorizationExtension.authenticateUser(AuthorizationExtension.java:260)
jvm 1 | at com.thoughtworks.go.server.newsecurity.providers.WebBasedPluginAuthenticationProvider.authenticateWithExtension(WebBasedPluginAuthenticationProvider.java:80)
jvm 1 | at com.thoughtworks.go.server.newsecurity.providers.WebBasedPluginAuthenticationProvider.authenticateWithExtension(WebBasedPluginAuthenticationProvider.java:41)
The token is not valid to request de userinfo endponint, I will see why this happens.
Unfurtenetely the gocd api not provide a way to use refresh_token, and this error happens when access_token has expired and can't use the userinfo endpoint, you need to align the Access Token Lifespan and SSO Session Idle with session of gocd.
gocd session is about 1 hour, here I let the Access Token Lifespan with 1h and SSO Session Idle 2h.
Look at this configuration of gocd -Dgo.security.reauthentication.interval
Thanks for investigating and the proposals! So would that be a feature request for the gocd project in your opinion?
Hi there, I have the plugin configured to use keycloak as IDP. Now after the max. session timeout I am getting the error at the frontend: Unable to re-authenticate user after timeout. Smilar to issue #1 I also increased the Access Token Lifespan but this just mitigates the problem to a later point in time...
The first line on the logs bothers me a bit.. failed with error ''. It shows an empty error. Do you have any idea, how to find out what the problem could be? I have the Keycloak as a working IDP for examples also configured in my grafana instance and the userinfo endpoint works perfectly.
I am using GoCD 20.3.0 and the latest plugin version available.
The following can be found in the logs: