Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token Validation Inconsistency After Deleting Token Issuer in WSO2 APK #2665

Open
steveliem opened this issue Dec 7, 2024 · 0 comments
Open

Token Validation Inconsistency After Deleting Token Issuer in WSO2 APK #2665

steveliem opened this issue Dec 7, 2024 · 0 comments
Assignees
@tharindu1st
Labels
Type/Bug

Comments

@steveliem
Copy link

Description

I encountered an issue in the WSO2 API Platform for Kubernetes (APK) where, after deleting a token issuer, previously issued tokens continue to grant access to APIs. This behavior persists until the gateway runtime pods are manually restarted, suggesting a potential caching problem.

Steps to Reproduce

  1. Deploy an API within an organization.
  2. Configure and deploy a token issuer using Keycloak or another external IdP on the cluster.
  3. Obtain an access token from the IdP and successfully invoke the deployed API using this token.
  4. Delete the token issuer from APK.
  5. Attempt to invoke the API again using the previously obtained token.

Observed Behavior:

After deleting the token issuer, the expectation was that the previously issued token would become invalid, and API invocations using this token would fail. However, the API continued to accept the token and process requests successfully.

Additional Observations:

  • Manual Intervention: Manually deleting the gateway runtime pods (forcing the deployment to spawn new pods) resulted in the expected behavior. Subsequent API invocations with the same token failed, indicating the token was recognized as invalid.
  • Recreating the Token Issuer: After recreating the token issuer in APK, obtaining a new token from Keycloak allowed successful API invocations, as expected.

Conclusion:

This behavior suggests that the gateway runtime does not immediately recognize the deletion of a token issuer, potentially due to caching mechanisms. Manual pod deletion appears to clear the cache, aligning the system's behavior with expectations.

Recommendation:

Investigate the caching mechanisms within the gateway runtime concerning token issuer configurations. Implementing a cache invalidation process upon the deletion of a token issuer would ensure that tokens from deleted issuers are promptly recognized as invalid, maintaining the integrity of the API security model.

This issue impacts the reliability of token validation post-token issuer deletion and requires attention to ensure consistent security enforcement.

Affected Component

Enforcer

Version

1.2.0

Environment Details (with versions)

OpenShift version: 4.16.18
Kubernetes version: v1.29.8+632b078
Channel: stable-4.16

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

gateway enforcer pod tokenissuer
@tharindu1st tharindu1st self-assigned this Dec 9, 2024
@tharindu1st tharindu1st moved this from Backlog to Shortlisted in APK Development Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tharindu1st tharindu1st

Labels
Type/Bug
Projects
APK Development
Status: Shortlisted
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tharindu1st @steveliem