[
https://issues.apache.org/jira/browse/GUACAMOLE-919?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17072678#comment-17072678
]
Mechanix edited comment on GUACAMOLE-919 at 4/1/20, 11:54 AM:
--------------------------------------------------------------
[~DouglasHeriot] this is getting weird now. I didn't receive these log messages
before:
11:13:47.537 [pool-1-thread-1] DEBUG o.a.i.d.pooled.PooledDataSource - Checked
out connection 25479307 from pool.
11:13:47.537 [pool-1-thread-1] DEBUG o.a.i.d.pooled.PooledDataSource - Testing
connection 25479307 ..
11:24:02.557 [http-nio-8080-exec-22] DEBUG o.a.g.resource.ResourceServlet -
Resource not modified: "/app.js"
11:24:03.001 [http-nio-8080-exec-18] DEBUG org.jose4j.jwk.HttpsJwks -
Refreshing/loading JWKS from
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
11:24:03.001 [http-nio-8080-exec-18] DEBUG org.jose4j.http.Get - HTTP GET of
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
11:24:03.094 [http-nio-8080-exec-18] DEBUG org.jose4j.http.Get - read 3438
characters
11:24:03.095 [http-nio-8080-exec-18] DEBUG org.jose4j.http.Get - HTTP GET of
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
returned SimpleResponse\{statusCode=200, statusMessage='OK',
headers={null=[HTTP/1.1 200 OK], date=[Wed, 01 Apr 2020 11:24:03 GMT],
server=[openresty/1.15.8.1], set-cookie=[route=1585740244.076.329.181539;
Path=/; Secure; HttpOnly], content-length=[3438], vary=[Accept-Encoding],
connection=[keep-alive], content-type=[application/json],
cache-control=[no-cache], strict-transport-security=[max-age=15724800;
includeSubDomains]},
body='{"keys":[{"kid":"FsgfrnQ8F8D9-nXwkCUV8DX9h7EwtWfjxrKGYa398WA","kty":"RSA","alg":"RS256","use":"sig","n":"mcfeuGp1o5Eh_mWl4uJsRXVB53edq7JWO0qWPxdnG0FPct_QTQxm2b9ezalnEMuot0QklkzeJqajla0uR4sdjP7rs-4K3PJKDOdd3TUhV3RciLVCCCI4Flfeiu2mxWaoAFRQWMlvbHPolUBZX6I_WVRMxppUxTnuU28fy7xtBdDHeFjlmQy8Ds19AsF1XnMDu-YrJYjpt3YuqSVnKvkZb-3daPy-1nAPcXbAbnUszyuCWedDnBq0lYUWDIBSYeGKscEGyNQg1CC40duFmMba3GCXr9GWuZlrX5zw7u0-q1xHfj5TmYSce2fVGbob8-VcKPlBoJonA7_9LKZ8nW9otw","e":"AQAB","x5c":["MIICpTCCAY0CBgFvBIsQqTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtudi1zZXJ2aWNlczAeFw0xOTEyMTQxMzEyMDBaFw0yOTEyMTQxMzEzNDBaMBYxFDASBgNVBAMMC252LXNlcnZpY2VzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmcfeuGp1o5Eh/mWl4uJsRXVB53edq7JWO0qWPxdnG0FPct/QTQxm2b9ezalnEMuot0QklkzeJqajla0uR4sdjP7rs+4K3PJKDOdd3TUhV3RciLVCCCI4Flfeiu2mxWaoAFRQWMlvbHPolUBZX6I/WVRMxppUxTnuU28fy7xtBdDHeFjlmQy8Ds19AsF1XnMDu+YrJYjpt3YuqSVnKvkZb+3daPy+1nAPcXbAbnUszyuCWedDnBq0lYUWDIBSYeGKscEGyNQg1CC40duFmMba3GCXr9GWuZlrX5zw7u0+q1xHfj5TmYSce2fVGbob8+VcKPlBoJonA7/9LKZ8nW9otwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAXxGVh7FrWQJUbd+b5VRRx4rS468i0N1TT5ZsVx98yERCEBVaoBFnvvYF2n+pBVhRaqJ8iH0DfddYmWUxh5eDOQc53DNM2uMbmRT8HYad9E+pTH5m4MXbQpBssn86P8A/ia0G9CIfHX/dwinJtqwblEcY75VYYU0jV+ntndV96bozS/H0bpUVdYhBgpu5tpzikqBvZqALiunlkeeurcUnt+dyR6sRo5pOGGzYYuFxjQzqt8lEZsvp2UP6hJX+P4/L6A+NKJmMlmIyhX7twP5p7ebH8nTRKIyimSHDinKLiMZL4998CQdNF9s2nCHNoo8WaWFJcxt+QLLvBjnN00SzO"],"x5t":"ZvHZcCWdzzfBwiqsRvFjrVtlCgU","x5t#S256":"R8
LHsrJYc0A7U0Go2xVrfKzF93ebjYYweWurnzVOPTU"},\{"kid":"KIaFtft4tcThU_dL9ddOl6L7C7jbEzW-PjFR5Oozof4","kty":"RSA","alg":"RS256","use":"sig","n":"1OUjxVCVTNt7VMmaLtZGnb9m3q9vnfkIcMpC5fg2N6iho5Cjjiol9cu8_lKv8dyZVUKlh3ju0-KgWBIS9759NjpkhKerOMwBpe6ApHmOBz1hsqx5swPfgjjS-t2yNDTA8wnOO4Pl1rKuzU18GxdG54dDKOWyeQIl1B24KyaBMukZqwnFy6AHE-srn4pjQOpGaLvvEpXByu4YXHJj1jKnZuysMLle6Kc9oLxgUIsCTauqeth3gEGLsb82g7Sovjkq5kSlYVBT2rAH1WyMis5d5eWNOi43tdUU1uSMy5bWqdUcRVpqnRossmWXOkXuuiQXV02OT_uuGzxq5-SF9HyZNQ","e":"AQAB","x5c":["MIIEGzCCAwOgAwIBAgIJAPq3GHpYAEZlMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMQ8wDQYDVQQHDAZNdW5pY2gxFTATBgNVBAoMDE5lb3MgSVQgR21iSDEMMAoGA1UECwwDb3BzMSwwKgYDVQQDDCNtdW5udnBkZXBhdHIwMS5wY2kubmVvc3ZlbnR1cmVzLmNvbTEfMB0GCSqGSIb3DQEJARYQbGludXhAbmVvc2l0LmNvbTAeFw0yMDAxMjgxMzM2NThaFw0zMDAxMjUxMzM2NThaMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMQ8wDQYDVQQHDAZNdW5pY2gxFTATBgNVBAoMDE5lb3MgSVQgR21iSDEMMAoGA1UECwwDb3BzMSwwKgYDVQQDDCNtdW5udnBkZXBhdHIwMS5wY2kubmVvc3ZlbnR1cmVzLmNvbTEfMB0GCSqGSIb3DQEJARYQbGludXhAbmVvc2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTlI8VQlUzbe1TJmi7WRp2/Zt6vb535CHDKQuX4NjeooaOQo44qJfXLvP5Sr/HcmVVCpYd47tPioFgSEve+fTY6ZISnqzjMAaXugKR5jgc9YbKsebMD34I40vrdsjQ0wPMJzjuD5dayrs1NfBsXRueHQyjlsnkCJdQduCsmgTLpGasJxcugBxPrK5+KY0DqRmi77xKVwcruGFxyY9Yyp2bsrDC5XuinPaC8YFCLAk2rqnrYd4BBi7G/NoO0qL45KuZEpWFQU9qwB9VsjIrOXeXljTouN7XVFNbkjMuW1qnVHEVaap0aLLJllzpF7rokF1dNjk/7rhs8aufkhfR8mTUCAwEAAaNQME4wHQYDVR0OBBYEFImu40BHImRCrexntDC73jPKEzdOMB8GA1UdIwQYMBaAFImu40BHImRCrexntDC73jPKEzdOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHpS3pE+7vmooqukUGCv08i6c0H2DUESu/Nb+WmnB1hX97E5AtV6apn7AoFDjHbAK5Ys2PK7ttRq9pOpiGgJq8cFC6GP18j34OXC6kWUP+1cTmeXWfyOwuASKgbVylIkZT4ykJwWaE2K1CB2iX4N6rgY4/mjrrrN7GQZebBzEfz4outhHH95Cq8F9S7OejDIzhxm6mpEWig4J+zdaK6WjhEEWqPWGn3iYn3fpl8oM9IK91R2K3uFZyMIIqLvEu5h+wnRWnsxWH/ZGrhm5P5FnPkvaLUe48NNmUGOtI2Whjx1CkvPx4NURc3XtIiS3/FQK26GXtmRJH/IFD+m/kWbxao="],"x5t":"b8dV-YIMCsZsmHAyW7_wG8Y1lgg","x5t#S256":"enlraMsPcx9gPbPR57R1Oy8j8gtQrG_W7zVO3Gsjg40"}]}'}
11:24:03.104 [http-nio-8080-exec-18] DEBUG org.jose4j.jwk.HttpsJwks - Will use
default cache duration of 3600 seconds for content from
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
{color:#FF0000}11:24:03.104 [http-nio-8080-exec-18] DEBUG
org.jose4j.jwk.HttpsJwks - Updated JWKS content from
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
will be cached for 3600 seconds until about Wed Apr 01 12:24:03 UTC 2020
->{color} [org.jose4j.jwk.RsaJsonWebKey\{kty=RSA,
kid=FsgfrnQ8F8D9-nXwkCUV8DX9h7EwtWfjxrKGYa398WA, use=sig, alg=RS256,
n=mcfeuGp1o5Eh_mWl4uJsRXVB53edq7JWO0qWPxdnG0FPct_QTQxm2b9ezalnEMuot0QklkzeJqajla0uR4sdjP7rs-4K3PJKDOdd3TUhV3RciLVCCCI4Flfeiu2mxWaoAFRQWMlvbHPolUBZX6I_WVRMxppUxTnuU28fy7xtBdDHeFjlmQy8Ds19AsF1XnMDu-YrJYjpt3YuqSVnKvkZb-3daPy-1nAPcXbAbnUszyuCWedDnBq0lYUWDIBSYeGKscEGyNQg1CC40duFmMba3GCXr9GWuZlrX5zw7u0-q1xHfj5TmYSce2fVGbob8-VcKPlBoJonA7_9LKZ8nW9otw,
e=AQAB,
x5c=[MIICpTCCAY0CBgFvBIsQqTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtudi1zZXJ2aWNlczAeFw0xOTEyMTQxMzEyMDBaFw0yOTEyMTQxMzEzNDBaMBYxFDASBgNVBAMMC252LXNlcnZpY2VzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmcfeuGp1o5Eh/mWl4uJsRXVB53edq7JWO0qWPxdnG0FPct/QTQxm2b9ezalnEMuot0QklkzeJqajla0uR4sdjP7rs+4K3PJKDOdd3TUhV3RciLVCCCI4Flfeiu2mxWaoAFRQWMlvbHPolUBZX6I/WVRMxppUxTnuU28fy7xtBdDHDs19AsF1XnMDu+YrJYjpt3YuqSVnKvkZb+3daPy+1nAPcXbAbnUszyuCWedDnBq0lYUWDIBSYeGKscEGyNQg1CC40duFmMba3GCXr9GWuZlrX5zw7u0+q1xHfj5TmYSce2fVGbob8+VcKPlBoJonA7/9LKZ8nW9otwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAXxGVh7FrWQJUbd+b5VRRx4rS468i0N1TT5ZsVx98yERCEBVaoBFnvvYF2n+pBVhRaqJ8iH0DfddYmWUxh5eDOQc53DNM2uMbmRT8HYad9E+pTH5m4MXbQpBssn86P8A/ia0G9CIfHX/dwinJtqwblEcY75VYYU0jV+ntndV96bozS/H0bpUVdYhBgpu5tpzikqBvZqALiunlkeeurcUnt+dyR6sRo5pOGGzYYuFxjQzqt8lEZsvp2UP6hJX+P4/L6A+NKJmMlmIyhX7twP5p7ebH8nTRKIyimSHDinKLiMZL4998CQdNF9s2nCHNoo8WaWFJcxt+QLLvBjnN00SzO],
x5t=ZvHZcCWdzzfBwiqsRvFjrVtlCgU,
x5t#S256=R8LHsrJYc0A7U0Go2xVrfKzF93ebjYYweWurnzVOPTU},
org.jose4j.jwk.RsaJsonWebKey{kty=RSA,
kid=KIaFtft4tcThU_dL9ddOl6L7C7jbEzW-PjFR5Oozof4, use=sig, alg=RS256,
n=1OUjxVCVTNt7VMmaLtZGnb9m3q9vnfkIcMpC5fg2N6iho5Cjjiol9cu8_lKv8dyZVUKlh3ju0-KgWBIS9759NjpkhKerOMwBpe6ApBz1hsqx5swPfgjjS-t2yNDTA8wnOO4Pl1rKuzU18GxdG54dDKOWyeQIl1B24KyaBMukZqwnFy6AHE-srn4pjQOpGa
LvvEpXByu4YXHJj1jKnZuysMLle6Kc9oLxgUIsCTauqeth3gEGLsb82g7Sovjkq5kSlYVBT2rAH1WyMis5d5eWNOi43tdUU1uSMy5bWqdUcRVpqnRossmWXOkXuuiQXV02OT_uuGzxq5-SF9HyZNQ,
e=AQAB,
x5c=[MIIEGzCCAwOgAwIBAgIJAPq3GHpYAEZlMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMQ8wDQYDVQQHDAZNdW5pY2gxFTATBgNVBAoMDE5lb3MgSVQgR21iSDEMMAoGA1UECwwDb3BzMSwwKgYDVQQDDCNtdW5udnBkZXBhdHIwMS5wY2kubmVvc3ZlbnR1cmVzLmNvbTEfMB0GCSqGSIb3DQEJARYQbGludXhAbmVvc2l0LmNvbTAeFw0yMDAxMjgxMzM2NThaFw0zMDAxMjUxMzM2NThaMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMQ8wDQYDVQQHDAZNdW5pY2gxFTATBgNVBAoMDE5lb3MgSVQgR21iSDEMMAoGA1UECwwDb3BzMSwwKgYDVQQDDCNtdW5udnBkZXBhdHIwMS5wY2kubmVvc3ZlbnR1cmVzLmNvbTEfMB0GCSqGSIb3DQEJARYQbGludXhAbmVvc2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTlI8VQlUzbe1TJmi7WRp2/Zt6vb535CHDKQuX4NjeooaOQo44qJfXLvP5Sr/HcmVVCpYd47tPioFgSEve+fTY6ZISnqzjMAaXugKR5jgc9YbKsebMD34I40vrdsjQ0wPMJzjuD5dayrs1NfBsXRueHQyjlsnkCJdQduCsmgTLpGasJxcugBxPrK5+KY0DqRmi77xKVwcruGFxyY9Yyp2bsrDC5XuinPaC8YFCLAk2rqnrYd4BBi7G/NoO0qL45KuZEpWFrOXeXljTouN7XVFNbkjMuW1qnVHEVaap0aLLJllzpF7rokF1dNjk/7rhs8aufkhfR8mTUCAwEAAaNQME4wHQYDVR0OBBYEFImu40BHImRCrexntDC73jPKEzdOMB8GA1UdIwQYMBaAFImu40BHImRCrexntDC73jPKEzdOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHpS3pE+7vmooqukUGCv08i6c0H2DUESu/Nb+WmnB1hX97E5AtV6apn7AoFDjHbAK5Ys2PK7ttRq9pOpiGgJq8cFC6GP18j34OXC6kWUP+1cTmeXWfyOwuASKgbVylIkZT4ykJwWaE2K1CB2iX4N6rgY4/mjrrrN7GQZebBzEfz4outhHH95Cq8F9S7OejDIzhxm6mpEWig4J+zdaK6WjhEEWqPWGn3iYn3fpl8oM9IK91R2K3uFZyMIIqLvEu5h+wnRWnsxWH/ZGrhm5P5FnPkvaLUe48NNmUGOtI2Whjx1CkvPx4NURc3XtIiS3/FQK26GXtmRJH/IFD+m/kWbxao=],
x5t=b8dV-YIMCsZsmHAyW7_wG8Y1lgg,
x5t#S256=enlraMsPcx9gPbPR57R1Oy8j8gtQrG_W7zVO3Gsjg40}]
{color:#FF0000}11:24:03.110 [http-nio-8080-exec-18] INFO
o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT
({color}claims->\{"jti":"24d4f42c-04c0-4c18-b002-62cf79c776a0","exp":1585736900,"nbf":0,"iat":1585736001,"iss":"https://sso.example.com/auth/realms/nv-services","aud":"guacamole","sub":"cc635857-a06a-46cd-938b-775e71d27a7a","typ":"ID","azp":"guacamole","nonce":"kudiiku0csb6kqggd39hvq049u","auth_time":1585736000,"session_state":"c2c81835-9f2b-4088-a772-77b93d5dd9cf","acr":"1","email_verified":false,"name":"Example
User","groups":["offline_access","uma_authorization","g-OpenNMS-Admin"],"preferred_username":"mechanix","given_name":"Example","family_name":"User","email":"example.u...@example.com"})
rejected due to invalid claims. Additional details: [The JWT is no longer
valid - the evaluation time NumericDate\{1585740243 -> Apr 1, 2020 11:24:03 AM
UTC} is on or after the Expiration Time (exp=NumericDate\{1585736900 -> Apr 1,
2020 10:28:20 AM UTC}) claim value (even when providing 500 seconds of leeway
to account for clock skew).]
{color:#FF0000}11:24:03.112 [http-nio-8080-exec-18] DEBUG
o.a.g.a.o.t.TokenValidationService - Invalid JWT received.{color}
org.jose4j.jwt.consumer.InvalidJwtException: JWT
(claims->\{"jti":"24d4f42c-04c0-4c18-b002-62cf79c776a0","exp":1585736900,"nbf":0,"iat":1585736001,"iss":"https://sso.example.com/auth/realms/nv-services","aud":"guacamole","sub":"cc635857-a06a-46cd-938b-775e71d27a7a","typ":"ID","azp":"guacamole","nonce":"kudiiku0csb6kqggd39hvq049u","auth_time":1585736000,"session_state":"c2c81835-9f2b-4088-a772-77b93d5dd9cf","acr":"1","email_verified":false,"name":"Example
User","groups":["offline_access","uma_authorization","g-OpenNMS-Admin"],"preferred_username":"mechanix","given_name":"Example","family_name":"User","email":"example.u...@example.com"})
rejected due to invalid claims. Additional details: [{color:#FF0000}The JWT is
no longer valid - the evaluation time NumericDate\{1585740243 -> Apr 1, 2020
11:24:03 AM UTC} is on or after the Expiration Time
(exp=NumericDate\{1585736900 -> Apr 1, 2020 10:28:20 AM UTC}{color}) claim
value (even when providing 500 seconds of leeway to account for clock skew).]
at org.jose4j.jwt.consumer.JwtConsumer.validate(JwtConsumer.java:427)
~[guacamole-auth-0penid-1.1.0.jar:na]
at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:278)
~[guacamole-auth-0penid-1.1.0.jar:na]
at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:396)
~[guacamole-auth-0penid-1.1.0.jar:na]
at org.jose4j.jwt.consumer.JwtConsumer.processToClaims(JwtConsumer.java:155)
~[guacamole-auth-0penid-1.1.0.jar:na]
at
org.apache.guacamole.auth.openid.token.TokenValidationService.processUsername(TokenValidationService.java:96)
~[guacamole-auth-0penid-1.1.0.jar:na]
at
org.apache.guacamole.auth.openid.AuthenticationProviderService.authenticateUser(AuthenticationProviderService.java:99)
[guacamole-auth-0penid-1.1.0.jar:na]
at
org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider.authenticateUser(OpenIDAuthenticationProvider.java:71)
[guacamole-auth-0penid-1.1.0.jar:na]
at
org.apache.guacamole.extension.AuthenticationProviderFacade.authenticateUser(AuthenticationProviderFacade.java:190)
[classes/:na]
at
org.apache.guacamole.rest.auth.AuthenticationService.authenticateUser(AuthenticationService.java:168)
[classes/:na]
at
org.apache.guacamole.rest.auth.AuthenticationService.getAuthenticatedUser(AuthenticationService.java:288)
[classes/:na]
at
org.apache.guacamole.rest.auth.AuthenticationService.authenticate(AuthenticationService.java:441)
[classes/:na]
at
org.apache.guacamole.rest.auth.TokenRESTService.createToken(TokenRESTService.java:173)
[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_212]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[na:1.8.0_212]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.8.0_212]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_212]
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
[jersey-servlet-1.17.1.jar:1.17.1]
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
[jersey-servlet-1.17.1.jar:1.17.1]
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
[jersey-servlet-1.17.1.jar:1.17.1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
[servlet-api.jar:na]
at
com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
[guice-servlet-3.0.jar:na]
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
[guice-servlet-3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
[catalina.jar:9.0.20]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
[catalina.jar:9.0.20]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
[catalina.jar:9.0.20]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
[catalina.jar:9.0.20]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
[catalina.jar:9.0.20]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
[tomcat-coyote.jar:9.0.20]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat-coyote.jar:9.0.20]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:836)
[tomcat-coyote.jar:9.0.20]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1839)
[tomcat-coyote.jar:9.0.20]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-coyote.jar:9.0.20]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[na:1.8.0_212]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[na:1.8.0_212]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:9.0.20]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212]
11:24:03.113 [http-nio-8080-exec-18] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Opening JDBC Connection
Can this be two separate issues? It looks like the JWT token cannot be renewed.
However, I would expect that guacamole will do a redirect to the SSO provider
for re-authentication.
Sorry that this is getting more confusing.
was (Author: mechanix):
[~DouglasHeriot] this is getting weird now. I didn't receive these log messages
before:
11:13:47.537 [pool-1-thread-1] DEBUG o.a.i.d.pooled.PooledDataSource - Checked
out connection 25479307 from pool.
11:13:47.537 [pool-1-thread-1] DEBUG o.a.i.d.pooled.PooledDataSource - Testing
connection 25479307 ..
11:24:02.557 [http-nio-8080-exec-22] DEBUG o.a.g.resource.ResourceServlet -
Resource not modified: "/app.js"
11:24:03.001 [http-nio-8080-exec-18] DEBUG org.jose4j.jwk.HttpsJwks -
Refreshing/loading JWKS from
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
11:24:03.001 [http-nio-8080-exec-18] DEBUG org.jose4j.http.Get - HTTP GET of
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
11:24:03.094 [http-nio-8080-exec-18] DEBUG org.jose4j.http.Get - read 3438
characters
11:24:03.095 [http-nio-8080-exec-18] DEBUG org.jose4j.http.Get - HTTP GET of
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
returned SimpleResponse\{statusCode=200, statusMessage='OK',
headers={null=[HTTP/1.1 200 OK], date=[Wed, 01 Apr 2020 11:24:03 GMT],
server=[openresty/1.15.8.1], set-cookie=[route=1585740244.076.329.181539;
Path=/; Secure; HttpOnly], content-length=[3438], vary=[Accept-Encoding],
connection=[keep-alive], content-type=[application/json],
cache-control=[no-cache], strict-transport-security=[max-age=15724800;
includeSubDomains]},
body='{"keys":[{"kid":"FsgfrnQ8F8D9-nXwkCUV8DX9h7EwtWfjxrKGYa398WA","kty":"RSA","alg":"RS256","use":"sig","n":"mcfeuGp1o5Eh_mWl4uJsRXVB53edq7JWO0qWPxdnG0FPct_QTQxm2b9ezalnEMuot0QklkzeJqajla0uR4sdjP7rs-4K3PJKDOdd3TUhV3RciLVCCCI4Flfeiu2mxWaoAFRQWMlvbHPolUBZX6I_WVRMxppUxTnuU28fy7xtBdDHeFjlmQy8Ds19AsF1XnMDu-YrJYjpt3YuqSVnKvkZb-3daPy-1nAPcXbAbnUszyuCWedDnBq0lYUWDIBSYeGKscEGyNQg1CC40duFmMba3GCXr9GWuZlrX5zw7u0-q1xHfj5TmYSce2fVGbob8-VcKPlBoJonA7_9LKZ8nW9otw","e":"AQAB","x5c":["MIICpTCCAY0CBgFvBIsQqTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtudi1zZXJ2aWNlczAeFw0xOTEyMTQxMzEyMDBaFw0yOTEyMTQxMzEzNDBaMBYxFDASBgNVBAMMC252LXNlcnZpY2VzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmcfeuGp1o5Eh/mWl4uJsRXVB53edq7JWO0qWPxdnG0FPct/QTQxm2b9ezalnEMuot0QklkzeJqajla0uR4sdjP7rs+4K3PJKDOdd3TUhV3RciLVCCCI4Flfeiu2mxWaoAFRQWMlvbHPolUBZX6I/WVRMxppUxTnuU28fy7xtBdDHeFjlmQy8Ds19AsF1XnMDu+YrJYjpt3YuqSVnKvkZb+3daPy+1nAPcXbAbnUszyuCWedDnBq0lYUWDIBSYeGKscEGyNQg1CC40duFmMba3GCXr9GWuZlrX5zw7u0+q1xHfj5TmYSce2fVGbob8+VcKPlBoJonA7/9LKZ8nW9otwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAXxGVh7FrWQJUbd+b5VRRx4rS468i0N1TT5ZsVx98yERCEBVaoBFnvvYF2n+pBVhRaqJ8iH0DfddYmWUxh5eDOQc53DNM2uMbmRT8HYad9E+pTH5m4MXbQpBssn86P8A/ia0G9CIfHX/dwinJtqwblEcY75VYYU0jV+ntndV96bozS/H0bpUVdYhBgpu5tpzikqBvZqALiunlkeeurcUnt+dyR6sRo5pOGGzYYuFxjQzqt8lEZsvp2UP6hJX+P4/L6A+NKJmMlmIyhX7twP5p7ebH8nTRKIyimSHDinKLiMZL4998CQdNF9s2nCHNoo8WaWFJcxt+QLLvBjnN00SzO"],"x5t":"ZvHZcCWdzzfBwiqsRvFjrVtlCgU","x5t#S256":"R8
LHsrJYc0A7U0Go2xVrfKzF93ebjYYweWurnzVOPTU"},\{"kid":"KIaFtft4tcThU_dL9ddOl6L7C7jbEzW-PjFR5Oozof4","kty":"RSA","alg":"RS256","use":"sig","n":"1OUjxVCVTNt7VMmaLtZGnb9m3q9vnfkIcMpC5fg2N6iho5Cjjiol9cu8_lKv8dyZVUKlh3ju0-KgWBIS9759NjpkhKerOMwBpe6ApHmOBz1hsqx5swPfgjjS-t2yNDTA8wnOO4Pl1rKuzU18GxdG54dDKOWyeQIl1B24KyaBMukZqwnFy6AHE-srn4pjQOpGaLvvEpXByu4YXHJj1jKnZuysMLle6Kc9oLxgUIsCTauqeth3gEGLsb82g7Sovjkq5kSlYVBT2rAH1WyMis5d5eWNOi43tdUU1uSMy5bWqdUcRVpqnRossmWXOkXuuiQXV02OT_uuGzxq5-SF9HyZNQ","e":"AQAB","x5c":["MIIEGzCCAwOgAwIBAgIJAPq3GHpYAEZlMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMQ8wDQYDVQQHDAZNdW5pY2gxFTATBgNVBAoMDE5lb3MgSVQgR21iSDEMMAoGA1UECwwDb3BzMSwwKgYDVQQDDCNtdW5udnBkZXBhdHIwMS5wY2kubmVvc3ZlbnR1cmVzLmNvbTEfMB0GCSqGSIb3DQEJARYQbGludXhAbmVvc2l0LmNvbTAeFw0yMDAxMjgxMzM2NThaFw0zMDAxMjUxMzM2NThaMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMQ8wDQYDVQQHDAZNdW5pY2gxFTATBgNVBAoMDE5lb3MgSVQgR21iSDEMMAoGA1UECwwDb3BzMSwwKgYDVQQDDCNtdW5udnBkZXBhdHIwMS5wY2kubmVvc3ZlbnR1cmVzLmNvbTEfMB0GCSqGSIb3DQEJARYQbGludXhAbmVvc2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTlI8VQlUzbe1TJmi7WRp2/Zt6vb535CHDKQuX4NjeooaOQo44qJfXLvP5Sr/HcmVVCpYd47tPioFgSEve+fTY6ZISnqzjMAaXugKR5jgc9YbKsebMD34I40vrdsjQ0wPMJzjuD5dayrs1NfBsXRueHQyjlsnkCJdQduCsmgTLpGasJxcugBxPrK5+KY0DqRmi77xKVwcruGFxyY9Yyp2bsrDC5XuinPaC8YFCLAk2rqnrYd4BBi7G/NoO0qL45KuZEpWFQU9qwB9VsjIrOXeXljTouN7XVFNbkjMuW1qnVHEVaap0aLLJllzpF7rokF1dNjk/7rhs8aufkhfR8mTUCAwEAAaNQME4wHQYDVR0OBBYEFImu40BHImRCrexntDC73jPKEzdOMB8GA1UdIwQYMBaAFImu40BHImRCrexntDC73jPKEzdOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHpS3pE+7vmooqukUGCv08i6c0H2DUESu/Nb+WmnB1hX97E5AtV6apn7AoFDjHbAK5Ys2PK7ttRq9pOpiGgJq8cFC6GP18j34OXC6kWUP+1cTmeXWfyOwuASKgbVylIkZT4ykJwWaE2K1CB2iX4N6rgY4/mjrrrN7GQZebBzEfz4outhHH95Cq8F9S7OejDIzhxm6mpEWig4J+zdaK6WjhEEWqPWGn3iYn3fpl8oM9IK91R2K3uFZyMIIqLvEu5h+wnRWnsxWH/ZGrhm5P5FnPkvaLUe48NNmUGOtI2Whjx1CkvPx4NURc3XtIiS3/FQK26GXtmRJH/IFD+m/kWbxao="],"x5t":"b8dV-YIMCsZsmHAyW7_wG8Y1lgg","x5t#S256":"enlraMsPcx9gPbPR57R1Oy8j8gtQrG_W7zVO3Gsjg40"}]}'}
11:24:03.104 [http-nio-8080-exec-18] DEBUG org.jose4j.jwk.HttpsJwks - Will use
default cache duration of 3600 seconds for content from
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
{color:#FF0000}11:24:03.104 [http-nio-8080-exec-18] DEBUG
org.jose4j.jwk.HttpsJwks - Updated JWKS content from
https://sso.example.com/auth/realms/nv-services/protocol/openid-connect/certs
will be cached for 3600 seconds until about Wed Apr 01 12:24:03 UTC 2020
->{color} [org.jose4j.jwk.RsaJsonWebKey\{kty=RSA,
kid=FsgfrnQ8F8D9-nXwkCUV8DX9h7EwtWfjxrKGYa398WA, use=sig, alg=RS256,
n=mcfeuGp1o5Eh_mWl4uJsRXVB53edq7JWO0qWPxdnG0FPct_QTQxm2b9ezalnEMuot0QklkzeJqajla0uR4sdjP7rs-4K3PJKDOdd3TUhV3RciLVCCCI4Flfeiu2mxWaoAFRQWMlvbHPolUBZX6I_WVRMxppUxTnuU28fy7xtBdDHeFjlmQy8Ds19AsF1XnMDu-YrJYjpt3YuqSVnKvkZb-3daPy-1nAPcXbAbnUszyuCWedDnBq0lYUWDIBSYeGKscEGyNQg1CC40duFmMba3GCXr9GWuZlrX5zw7u0-q1xHfj5TmYSce2fVGbob8-VcKPlBoJonA7_9LKZ8nW9otw,
e=AQAB,
x5c=[MIICpTCCAY0CBgFvBIsQqTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtudi1zZXJ2aWNlczAeFw0xOTEyMTQxMzEyMDBaFw0yOTEyMTQxMzEzNDBaMBYxFDASBgNVBAMMC252LXNlcnZpY2VzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmcfeuGp1o5Eh/mWl4uJsRXVB53edq7JWO0qWPxdnG0FPct/QTQxm2b9ezalnEMuot0QklkzeJqajla0uR4sdjP7rs+4K3PJKDOdd3TUhV3RciLVCCCI4Flfeiu2mxWaoAFRQWMlvbHPolUBZX6I/WVRMxppUxTnuU28fy7xtBdDHDs19AsF1XnMDu+YrJYjpt3YuqSVnKvkZb+3daPy+1nAPcXbAbnUszyuCWedDnBq0lYUWDIBSYeGKscEGyNQg1CC40duFmMba3GCXr9GWuZlrX5zw7u0+q1xHfj5TmYSce2fVGbob8+VcKPlBoJonA7/9LKZ8nW9otwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAXxGVh7FrWQJUbd+b5VRRx4rS468i0N1TT5ZsVx98yERCEBVaoBFnvvYF2n+pBVhRaqJ8iH0DfddYmWUxh5eDOQc53DNM2uMbmRT8HYad9E+pTH5m4MXbQpBssn86P8A/ia0G9CIfHX/dwinJtqwblEcY75VYYU0jV+ntndV96bozS/H0bpUVdYhBgpu5tpzikqBvZqALiunlkeeurcUnt+dyR6sRo5pOGGzYYuFxjQzqt8lEZsvp2UP6hJX+P4/L6A+NKJmMlmIyhX7twP5p7ebH8nTRKIyimSHDinKLiMZL4998CQdNF9s2nCHNoo8WaWFJcxt+QLLvBjnN00SzO],
x5t=ZvHZcCWdzzfBwiqsRvFjrVtlCgU,
x5t#S256=R8LHsrJYc0A7U0Go2xVrfKzF93ebjYYweWurnzVOPTU},
org.jose4j.jwk.RsaJsonWebKey{kty=RSA,
kid=KIaFtft4tcThU_dL9ddOl6L7C7jbEzW-PjFR5Oozof4, use=sig, alg=RS256,
n=1OUjxVCVTNt7VMmaLtZGnb9m3q9vnfkIcMpC5fg2N6iho5Cjjiol9cu8_lKv8dyZVUKlh3ju0-KgWBIS9759NjpkhKerOMwBpe6ApBz1hsqx5swPfgjjS-t2yNDTA8wnOO4Pl1rKuzU18GxdG54dDKOWyeQIl1B24KyaBMukZqwnFy6AHE-srn4pjQOpGa
LvvEpXByu4YXHJj1jKnZuysMLle6Kc9oLxgUIsCTauqeth3gEGLsb82g7Sovjkq5kSlYVBT2rAH1WyMis5d5eWNOi43tdUU1uSMy5bWqdUcRVpqnRossmWXOkXuuiQXV02OT_uuGzxq5-SF9HyZNQ,
e=AQAB,
x5c=[MIIEGzCCAwOgAwIBAgIJAPq3GHpYAEZlMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMQ8wDQYDVQQHDAZNdW5pY2gxFTATBgNVBAoMDE5lb3MgSVQgR21iSDEMMAoGA1UECwwDb3BzMSwwKgYDVQQDDCNtdW5udnBkZXBhdHIwMS5wY2kubmVvc3ZlbnR1cmVzLmNvbTEfMB0GCSqGSIb3DQEJARYQbGludXhAbmVvc2l0LmNvbTAeFw0yMDAxMjgxMzM2NThaFw0zMDAxMjUxMzM2NThaMIGjMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMQ8wDQYDVQQHDAZNdW5pY2gxFTATBgNVBAoMDE5lb3MgSVQgR21iSDEMMAoGA1UECwwDb3BzMSwwKgYDVQQDDCNtdW5udnBkZXBhdHIwMS5wY2kubmVvc3ZlbnR1cmVzLmNvbTEfMB0GCSqGSIb3DQEJARYQbGludXhAbmVvc2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTlI8VQlUzbe1TJmi7WRp2/Zt6vb535CHDKQuX4NjeooaOQo44qJfXLvP5Sr/HcmVVCpYd47tPioFgSEve+fTY6ZISnqzjMAaXugKR5jgc9YbKsebMD34I40vrdsjQ0wPMJzjuD5dayrs1NfBsXRueHQyjlsnkCJdQduCsmgTLpGasJxcugBxPrK5+KY0DqRmi77xKVwcruGFxyY9Yyp2bsrDC5XuinPaC8YFCLAk2rqnrYd4BBi7G/NoO0qL45KuZEpWFrOXeXljTouN7XVFNbkjMuW1qnVHEVaap0aLLJllzpF7rokF1dNjk/7rhs8aufkhfR8mTUCAwEAAaNQME4wHQYDVR0OBBYEFImu40BHImRCrexntDC73jPKEzdOMB8GA1UdIwQYMBaAFImu40BHImRCrexntDC73jPKEzdOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHpS3pE+7vmooqukUGCv08i6c0H2DUESu/Nb+WmnB1hX97E5AtV6apn7AoFDjHbAK5Ys2PK7ttRq9pOpiGgJq8cFC6GP18j34OXC6kWUP+1cTmeXWfyOwuASKgbVylIkZT4ykJwWaE2K1CB2iX4N6rgY4/mjrrrN7GQZebBzEfz4outhHH95Cq8F9S7OejDIzhxm6mpEWig4J+zdaK6WjhEEWqPWGn3iYn3fpl8oM9IK91R2K3uFZyMIIqLvEu5h+wnRWnsxWH/ZGrhm5P5FnPkvaLUe48NNmUGOtI2Whjx1CkvPx4NURc3XtIiS3/FQK26GXtmRJH/IFD+m/kWbxao=],
x5t=b8dV-YIMCsZsmHAyW7_wG8Y1lgg,
x5t#S256=enlraMsPcx9gPbPR57R1Oy8j8gtQrG_W7zVO3Gsjg40}]
{color:#FF0000}11:24:03.110 [http-nio-8080-exec-18] INFO
o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT
({color}claims->\{"jti":"24d4f42c-04c0-4c18-b002-62cf79c776a0","exp":1585736900,"nbf":0,"iat":1585736001,"iss":"https://sso.example.com/auth/realms/nv-services","aud":"guacamole","sub":"cc635857-a06a-46cd-938b-775e71d27a7a","typ":"ID","azp":"guacamole","nonce":"kudiiku0csb6kqggd39hvq049u","auth_time":1585736000,"session_state":"c2c81835-9f2b-4088-a772-77b93d5dd9cf","acr":"1","email_verified":false,"name":"Example
User","groups":["offline_access","uma_authorization","g-OpenNMS-Admin"],"preferred_username":"mechanix","given_name":"Example","family_name":"User","email":"example.u...@example.com"})
rejected due to invalid claims. Additional details: [The JWT is no longer
valid - the evaluation time NumericDate\{1585740243 -> Apr 1, 2020 11:24:03 AM
UTC} is on or after the Expiration Time (exp=NumericDate\{1585736900 -> Apr 1,
2020 10:28:20 AM UTC}) claim value (even when providing 500 seconds of leeway
to account for clock skew).]
{color:#FF0000}11:24:03.112 [http-nio-8080-exec-18] DEBUG
o.a.g.a.o.t.TokenValidationService - Invalid JWT received.{color}
org.jose4j.jwt.consumer.InvalidJwtException: JWT
(claims->\{"jti":"24d4f42c-04c0-4c18-b002-62cf79c776a0","exp":1585736900,"nbf":0,"iat":1585736001,"iss":"https://sso.example.com/auth/realms/nv-services","aud":"guacamole","sub":"cc635857-a06a-46cd-938b-775e71d27a7a","typ":"ID","azp":"guacamole","nonce":"kudiiku0csb6kqggd39hvq049u","auth_time":1585736000,"session_state":"c2c81835-9f2b-4088-a772-77b93d5dd9cf","acr":"1","email_verified":false,"name":"Example
User","groups":["offline_access","uma_authorization","g-OpenNMS-Admin"],"preferred_username":"mechanix","given_name":"Example","family_name":"User","email":"example.u...@example.com"})
rejected due to invalid claims. Additional details: [{color:#FF0000}The JWT is
no longer valid - the evaluation time NumericDate\{1585740243 -> Apr 1, 2020
11:24:03 AM UTC} is on or after the Expiration Time
(exp=NumericDate\{1585736900 -> Apr 1, 2020 10:28:20 AM UTC}{color}) claim
value (even when providing 500 seconds of leeway to account for clock skew).]
at org.jose4j.jwt.consumer.JwtConsumer.validate(JwtConsumer.java:427)
~[guacamole-auth-0penid-1.1.0.jar:na]
at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:278)
~[guacamole-auth-0penid-1.1.0.jar:na]
at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:396)
~[guacamole-auth-0penid-1.1.0.jar:na]
at org.jose4j.jwt.consumer.JwtConsumer.processToClaims(JwtConsumer.java:155)
~[guacamole-auth-0penid-1.1.0.jar:na]
at
org.apache.guacamole.auth.openid.token.TokenValidationService.processUsername(TokenValidationService.java:96)
~[guacamole-auth-0penid-1.1.0.jar:na]
at
org.apache.guacamole.auth.openid.AuthenticationProviderService.authenticateUser(AuthenticationProviderService.java:99)
[guacamole-auth-0penid-1.1.0.jar:na]
at
org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider.authenticateUser(OpenIDAuthenticationProvider.java:71)
[guacamole-auth-0penid-1.1.0.jar:na]
at
org.apache.guacamole.extension.AuthenticationProviderFacade.authenticateUser(AuthenticationProviderFacade.java:190)
[classes/:na]
at
org.apache.guacamole.rest.auth.AuthenticationService.authenticateUser(AuthenticationService.java:168)
[classes/:na]
at
org.apache.guacamole.rest.auth.AuthenticationService.getAuthenticatedUser(AuthenticationService.java:288)
[classes/:na]
at
org.apache.guacamole.rest.auth.AuthenticationService.authenticate(AuthenticationService.java:441)
[classes/:na]
at
org.apache.guacamole.rest.auth.TokenRESTService.createToken(TokenRESTService.java:173)
[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_212]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[na:1.8.0_212]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.8.0_212]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_212]
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
[jersey-servlet-1.17.1.jar:1.17.1]
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
[jersey-servlet-1.17.1.jar:1.17.1]
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
[jersey-servlet-1.17.1.jar:1.17.1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
[servlet-api.jar:na]
at
com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
[guice-servlet-3.0.jar:na]
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
[guice-servlet-3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
[catalina.jar:9.0.20]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
[catalina.jar:9.0.20]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
[catalina.jar:9.0.20]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
[catalina.jar:9.0.20]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
[catalina.jar:9.0.20]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
[catalina.jar:9.0.20]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
[tomcat-coyote.jar:9.0.20]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat-coyote.jar:9.0.20]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:836)
[tomcat-coyote.jar:9.0.20]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1839)
[tomcat-coyote.jar:9.0.20]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-coyote.jar:9.0.20]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[na:1.8.0_212]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[na:1.8.0_212]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:9.0.20]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212]
11:24:03.113 [http-nio-8080-exec-18] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Opening JDBC Connection
Can this be two separate issues? It looks like the JWT token cannot be renewed.
Howecer, I would expect that guacamole will do a redirect to the SSO provider
for re-authentication.
Sorry that this is getting more confusing.
> An I/O error occurred while sending to the backend
> --------------------------------------------------
>
> Key: GUACAMOLE-919
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-919
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-jdbc-postgresql
> Affects Versions: 1.0.0
> Reporter: Mechanix
> Assignee: Nick Couchman
> Priority: Minor
> Attachments: image-2020-01-27-15-19-26-634.png
>
>
> Hi,
> we use guacamole with postgresql and openid extension. Guacamole and guacd is
> deployed inside a k8s cluster.
> For some reason, the authentication doesn't succeed sporadically; there is
> only a blank page and this error message in the guacamole log:
> *[pool-1-thread-1] WARN o.a.i.d.pooled.PooledDataSource - Execution of ping
> query 'SELECT 1' failed: An I/O error occurred while sending to the backend.*
> I suspect there is a weird timeout happening between guacamole and postgresql
> but couldn't figure out why.
> Any hints are much appreciated. Thanks
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
