ssl-hep / ServiceX

ServiceX - a data delivery service pilot for IRIS-HEP DOMA
BSD 3-Clause "New" or "Revised" License
20 stars 21 forks source link

`app.auth: false` settings doesnt work anymore with BEARER_TOKEN env variable configured in enviroment #874

Open oshadura opened 1 month ago

oshadura commented 1 month ago

While deploying the new release 1.5.1, we would like to disable the authentification with app.auth: false. At the same time in the user environment at the facility we already have defined BEARER_TOKEN (xcache bearer token):

cms-jovyan@jupyter-oksana-2eshadura-40cern-2ech:~$ env | grep BEARER
BEARER_TOKEN_FILE=/etc/cmsaf-secrets-chown/access_token

Looks like with disabled authentification, servicex still tries to pick up wrong token:

ERROR opendataaf-servicex servicex_app Got exception while submitting transformation request
Traceback (most recent call last):
  File "/home/servicex/servicex_app/resources/transformation/submit.py", line 145, in post
    user = self.get_requesting_user()
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 167, in decorator
    verify_jwt_in_request(
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 94, in verify_jwt_in_request
    jwt_data, jwt_header, jwt_location = _decode_jwt_from_request(
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 340, in _decode_jwt_from_request
    decoded_token = decode_token(encoded_token, csrf_token)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/utils.py", line 128, in decode_token
    return jwt_manager._decode_jwt_from_config(encoded_token, csrf_value, allow_expired)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/jwt_manager.py", line 556, in _decode_jwt_from_config
    return _decode_jwt(**kwargs, allow_expired=allow_expired)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/tokens.py", line 95, in _decode_jwt
    decoded_token = jwt.decode(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 211, in decode
    decoded = self.decode_complete(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 152, in decode_complete
    decoded = api_jws.decode_complete(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jws.py", line 210, in decode_complete
    self._verify_signature(signing_input, header, signature, key, algorithms)
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jws.py", line 304, in _verify_signature
    raise InvalidAlgorithmError("The specified alg value is not allowed")
jwt.exceptions.InvalidAlgorithmError: The specified alg value is not allowed extra: {'requestId': '04c440b6-cf2d-42d1-9799-e46f93378955'}
ERROR opendataaf-servicex servicex_app Got exception while submitting transformation request
Traceback (most recent call last):
  File "/home/servicex/servicex_app/resources/transformation/submit.py", line 145, in post
    user = self.get_requesting_user()
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 167, in decorator
    verify_jwt_in_request(
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 94, in verify_jwt_in_request
    jwt_data, jwt_header, jwt_location = _decode_jwt_from_request(
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 340, in _decode_jwt_from_request
    decoded_token = decode_token(encoded_token, csrf_token)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/utils.py", line 128, in decode_token
    return jwt_manager._decode_jwt_from_config(encoded_token, csrf_value, allow_expired)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/jwt_manager.py", line 556, in _decode_jwt_from_config
    return _decode_jwt(**kwargs, allow_expired=allow_expired)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/tokens.py", line 95, in _decode_jwt
    decoded_token = jwt.decode(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 211, in decode
    decoded = self.decode_complete(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 152, in decode_complete
    decoded = api_jws.decode_complete(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jws.py", line 210, in decode_complete
    self._verify_signature(signing_input, header, signature, key, algorithms)
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jws.py", line 304, in _verify_signature
    raise InvalidAlgorithmError("The specified alg value is not allowed")
jwt.exceptions.InvalidAlgorithmError: The specified alg value is not allowed extra: {'requestId': '76bc42ee-c5d9-42f5-84a7-5fbf872c2369'}
ponyisi commented 2 weeks ago

Hi @oshadura - is this still reflecting the situation?