Question: Set the timeouts used when retrieving Keys for JWT validation #4474
Comments
|
Just some more context. Here is the breakdown of my time spent waiting for the content when I load the url in my browser the first time....
That would result with a Connect timeout (which the above log states is the timeout encountered). However, when I shift-F5 in the browser to refresh the page, the time to connect is less, but the time waiting for the response is still > 250
So I'm going to hit a timeout either way. |
|
Actually, I can't even get the Google aspect of the sample to work. I've followed the instructions, created an OAuth2 client in my Google account and updating the application.yaml with my client-id and client-secret. When I run the app and click on the Google link, it goes to my account, and I select my account, then it looks like it's sending an auth code back. But then my browser shows up with an error.
So, I can see the call back from google to localhost:8080/oauth2/authorize/code/google, but that ends up with a 302 error under the covers
Is there anything else to be done to get this basic sample working? |
rwinch
added
the
in: oauth2
|
@hildo Can you post the stack trace for the error related to the access token request connect time out - Google? |
|
I don't get any exception in the spring-boot process. What I see is
There are no callstacks in the Java process, and no call stacks in the browser. |
|
If it helps, this is how I have the Client ID defined in my Google API console
And how that transcribed in my application.yml
If I have not done enough, please let me know. I thought I had followed the instructions, but I could have overlooked something? |
|
Looks like you have things configured correctly. It really is as simple as setting the client-id and client-secret. The defaults for the rest of the config is in Can you add this to your This should give me more information on the connect timeout issue. This error is happening during the Access Token Request call in
Although the other issue you're having with the timing out while fetching the JwkSet (because of the 250ms timeout setting), there is no timeout set for connect or read while fetching the access token. So this explains why it hangs for a minute or so. Just curious, did you make any changes to
Something is going on here. I haven't had any issues when testing the sample using a client configured in my google account. Seems like your network is having some issues here. Have you tried configuring the facebook or github client? Maybe try either one of them and see what happens. The debug log output may help further so please post that when you get a chance. As far as the JwkSet timeout issue. I will address that so you can update the default connect/read timeout. |
|
Related #4477 |
|
@hildo I just added a new feature that will allow you to provide a custom configuration for the underlying HTTP client. So now you can set the connect timeout and read timeout. Here is a code sample to enable this: Just a heads up that I won't be available over the next 2 weeks. However, @rwinch will be able to assist you if you have any other issues. |
|
Thanks. The only change I have made to the default yml is, apparently, the scopes...
I'm not sure why I've done that. Up until now, I've been using the ZIP download of M3. However, I've now cloned the repo as there are now changes I'd like to try, wrt to the timeouts. So I'll ensure those values in the default yml are restored to what's originally in the repo. Thanks for the help, and have a great break! |
|
Hi. Just an update. Instead of using M3 of the sources, I've cloned the repository. I've been able to take advantage of configuring the HttpClientConfig and as a result I have been able to successfully interact with an Azure Active Directory (which is what I was really after) as well as a second Open ID connect endpoint. I am still having the same issue with integrating with Google. I've set up the logging as specified, and this is the output in the console running the sample code That said, I'm happy with the changes that have been made so far. While it would be nice to use Google, I was only attempting that because my first attempt at AAD was failing. That is now succeeding and that is what I am really after. Thanks for all the help! |
|
@hildo I'm glad you got things working with Azure AD. I'm curious though why you're getting a connect time out using the Google client. I'm suspecting there is something going on with your network where Try doing a Are you running the Google sample on your laptop/desktop or is this happening in a server environment? |
|
Yes, I agree. The likely suspect is our network. It can be ... challenging. I will try this out a little later and get back. I am running this sample on my desktop, not in a server environment. |
|
@hildo I'm going to close this issue assuming all is good on your end. Also, we decided to remove See #4478 for further details. |
|
@jgrandja 2017-10-12 15:48:30.779 DEBUG 15276 --- [nio-8080-exec-5] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener' org.springframework.security.authentication.AuthenticationServiceException: An error occurred while sending the Access Token Request: Connection timed out: connect |
|
@Rancho007 There is no API available as of now for configuring proxy settings. This will be coming in a later release though. For now, what you can do is create your own implementation of |
|
microsoft/azure-spring-boot#247 I am not sure, but I have the same symptoms like here. If someone could help, it would be great |
|
@sshogunn The default connection timeout needs to be increased in |
|
Hi Guys, com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Read timed out.Below is my source code. Thank in advance. import org.springframework.beans.factory.annotation.Autowired; import com.microsoft.azure.spring.autoconfigure.aad.AADAuthenticationFilter; @EnableWebSecurity } |
|
@vipinsaini434 You've configured Also, see this comment |
|
@jgrandja thank you. I will raise it with them.Though i check, it's already there but no solution.Also i checked the comment you mentioned but could not understand how to increase connection timeout in DefaultResourceRetriever. |
@jgrandja Could you please assist how to increase timeout using 'DefaultResourceRetriever' . i searched a lot but not getting any resource to update it. |
|
@vipinsaini434 I did not work on the |
|
Hello everyone, |
|
Hi Team, |
|
With the recent release of 5.1, you now have the ability to configure the connect/read timeouts via a supplied The solution provided is to allow a For example, if you need to increase the timeout for the Token Request than you would perform the following configuration steps:
If you need to increase the timeout for the JWKSet retrieval then this still needs to be addressed in #5717. We've already added the capability for supplying the Does this answer your question @laxmikant4644 ? |
|
Thanks for the detailed response @jgrandja |
Exposing fine-grained configuration, for example, A more flexible option is to allow the user to configure an HTTP Client (eg. |
|
@vipinsaini434 I come across the same problem and got a better solution: ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor();
JWKSource jwkSource = null;
// connection timeout and read timeout can be configured here
ResourceRetriever jwkRetriever = new DefaultResourceRetriever(100000, 100000);
jwkSource = new RemoteJWKSet(new URL(jsonWebKeyFileURL), jwkRetriever);
JWSAlgorithm jwsAlgorithm = JWSAlgorithm.RS256;
JWSKeySelector keySelector = new JWSVerificationKeySelector(jwsAlgorithm, jwkSource);
jwtProcessor.setJWSKeySelector(keySelector);
JWTClaimsSet claimsSet = jwtProcessor.process(token, null); |
This is a question: I am trying out the v5 oauth changes, eventually hoping to try the open id client support. I'm running the boot oauth2login same in the 5.0.0 M3 release. I have added a new client to connect to an Azure Active Directory account I have. It is working... I can see the token coming back. But it fails when validating the token.
This is the call stack I see in the system.out for the process running the sample
From what I have pieced together, the framework is attempting to retrieve the keys from the jwk-set-uri value and not getting the value in time. When I debug this, the default values of 250 ms is used for both the connect and read timeout for the nimbus classes involved.
When I load the same URL using my browser, it completes. To the URL is valid. However, from where I'm running, it usually takes >400 ms to load. I'm happy to says it's caused by my network, but I'm not going to be able to change this.
Is there any chance that those timeouts will be configurable? I feel like if I can just increase those timeouts, this will work just fine.
Thanks for any help.
Ed
The text was updated successfully, but these errors were encountered: