404 on authentication error

asked 2019-07-15 02:53:34 -0500

akovi gravatar image

updated 2019-07-15 07:14:04 -0500

I use Identity V3 authentication with tokens and found that 404 is returned for authentication related scenarios. The message is always:

Authorization failed: This is not a recognized Fernet token <token here> (HTTP 404)

I kind of understand why this is returned by the Identity API (although I see it very controversial). But the greater issue is that this error is seeping through all services, like Heat and Mistral. This creates a very hard situation where it depends only on the exception's message whether it is an authentication error or a resource error.

How should I overcome these issues?

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
1

answered 2020-05-21 03:11:28 -0500

Check whether fernet key is existed

edit flag offensive delete link more
0

answered 2020-05-22 03:30:52 -0500

pas-ha gravatar image

Looks like the fernet key that was used to encrypt the token when Keystone had issued it has been already rotated out and/or is simply not present on a keystone node that attempts to validate this token. In effect, Keystone can not decrypt the token as the decryption produces garbage which is "not a recognized Fernet token" as error says.

So I suggest you:

  • check that your keys are properly distributed after they have been rotated, see https://docs.openstack.org/keystone/l...
  • check the number of fernet keys and how frequently are they rotated vs how long your token expiration is to ensure fernet keys are not rotated out too soon. Also you have to factor in service auth if it is enabled (which allows to validate expired tokens for some additional time). See https://docs.openstack.org/keystone/l... for more details
edit flag offensive delete link more
0

answered 2019-07-17 09:15:25 -0500

gtarnaras gravatar image

Hey, which OpenStack version you're using? Logs from /varr/log/keystone/* might provide some more details.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2019-07-15 02:53:34 -0500

Seen: 319 times

Last updated: May 22