POST /saf/authenticate often returns blank jwt

[jthyssenrocket]

I am using zssServer POST /saf/authenticate to generate RACF Identity Tokens (IDTs). Zowe 2.17, z/OS 3.1

Input JSON is:

{
  "username": "{{userid}}",
  "pass": "{{password}}",
  "appl": "{{appl}}"
}

Sometimes the API returns the JWT:

{
    "jwt": "ey[...snip]PU"
}

but very often it returns a blank JWT:

{
    "jwt": ""
}

I do not see any messages in the Zowe address space ZWESLSTC nor on the SYSLOG

[jthyssenrocket]

in authServiceFunction, parm = 0x226E6980                                    
handleGenerateToken(): username = <userid>, password = ******                  
safVerify(VERIFY_CREATE) safStatus = 0, RACF RC = 0, RSN = 0, ACEE=0x7FF714D8
IDTA token: gen_rc = 0, prop_out = 0, prop_in = 8000 token length = 0        
safVerify(VERIFY_DELETE) safStatus = 0, RACF RC = 0, RSN = 0, ACEE=0x7FF714D8
handleGenerateToken() done rc = 0                                            

[JoeNemo]

Is this a regression? Was this working correctly and consistently in an earlier release? Does this happen randomly with the same input? If we can reproduce with any decent probability that would be good.

[jthyssenrocket]

I only became interested in JWTs a month or two ago, so I haven't tried the API In the past.

[jthyssenrocket]

A good start might be to print IDTA_SAF_IDT_Return and IDTA_IDT_Gen_RC as indicated here https://www.ibm.com/docs/en/zos/3.1.0?topic=zssrmr-activating-using-idta-parameter-in-racroute-requestverify-initacee#idtaparam__section_ehwg_idt__title__1