Failing Cloud Foundry (CF) authentication after OAuth Token Expiry

Avatar
Laura Buckley
  • Updated

 Introduction

The cf auth method provides an automated mechanism to retrieve a Vault token for CF instances. For more information on the CF Auth method refer to the documentation here Cloud Foundry (CF) auth method.

 

Problem

When the OAuth token for the CF Auth Method expires the following error occurs:

vault login -method=cf -path=cf role=cf-role

Error authenticating: Error making API request.

Namespace: ns1/
URL: PUT https://vault.internal.org:8200/v1/auth/cf/login
Code: 400. Errors:

* Error requesting apps: Get "https://.../v2/apps/39584f56-f509-45e2-b3f7-xxxxxxxx?inline-relations-depth=2": oauth2: "invalid_token" "Could not verify token signature.

 

Cause

CF Auth Method relies on oauth access tokens, which can expire, be revoked or fail for many reasons. In previous versions, the plugin created a new client per request. The per-request client introduced unnecessary overhead involving port exhaustion. To solve this, the CF auth plugin was modified to share a single client instance.

In v0.18.0 of the cf-auth-plugin a change was introduced:

Use a single CF client for all requests to avoid connection exhaustion GH-86 GH-87

 

This change introduced the undesirable behaviour of when the OAuth token expires there is no retry logic built into the plugin.
 
In future releases of Vault (post 1.22 or 2.0) a retry logic may be added that may not require the manual reload solution detailed below.

 

Overview of possible solutions (if applicable)

Triggering a reload of the config via vault write auth/cf/config or tuning the mount will generate a new client request which in turn will resolve the error until next OAuth token expiry

 

Additional Resources

Vault Documentation: Cloud Foundry (CF) auth method

CF Auth Change Log: v0.18.0

 

 

Articles in this section

See more

Related articles