Ask Your Question
0

404 on authentication error

asked 2019-07-15 02:53:34 -0600

akovi gravatar image

updated 2019-07-15 07:14:04 -0600

I use Identity V3 authentication with tokens and found that 404 is returned for authentication related scenarios. The message is always:

Authorization failed: This is not a recognized Fernet token <token here> (HTTP 404)

I kind of understand why this is returned by the Identity API (although I see it very controversial). But the greater issue is that this error is seeping through all services, like Heat and Mistral. This creates a very hard situation where it depends only on the exception's message whether it is an authentication error or a resource error.

How should I overcome these issues?

edit retag flag offensive close merge delete
add a comment

3 answers

Sort by ยป oldest newest most voted
1

answered 2020-05-21 03:11:28 -0600

trangtriqc gravatar image

Check whether fernet key is existed

edit flag offensive delete link more
add a comment
0

answered 2020-05-22 03:30:52 -0600

pas-ha gravatar image

Looks like the fernet key that was used to encrypt the token when Keystone had issued it has been already rotated out and/or is simply not present on a keystone node that attempts to validate this token. In effect, Keystone can not decrypt the token as the decryption produces garbage which is "not a recognized Fernet token" as error says.

So I suggest you:

  • check that your keys are properly distributed after they have been rotated, see https://docs.openstack.org/keystone/l...
  • check the number of fernet keys and how frequently are they rotated vs how long your token expiration is to ensure fernet keys are not rotated out too soon. Also you have to factor in service auth if it is enabled (which allows to validate expired tokens for some additional time). See https://docs.openstack.org/keystone/l... for more details
edit flag offensive delete link more
add a comment
0

answered 2019-07-17 09:15:25 -0600

gtarnaras gravatar image

Hey, which OpenStack version you're using? Logs from /varr/log/keystone/* might provide some more details.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-07-15 02:53:34 -0600

Seen: 412 times

Last updated: May 22 '20

Related questions

neutron agent-list: Authentication required

What are some common fernet distribution methods?

keystone-manage: error: argument command: invalid choice: 'fernet_setup'

How to check if keystone is working?

Customize authentication in Horizon

Authentication Error using API on Grizzly

The request you have made requires authentication. (HTTP 401)

Syntax with tempauth

error : The request you have made requires authentication

Keystone Connection Failure After Running For Sometime