This is perhaps related to errors like this:
https://sentry.dev.renku.ch/organizations/sentry/issues/3051/?project=13&project=2&query=is%3Aunresolved&referrer=issue-stream
The gateway does not call keycloak to validate access tokens. So what can happen is that if the tokens issued by keycloak are somehow invalidated (i.e. by a new renku deployment) then the gateway will not be able to tell. Because all the gateway does is just validate the token signature and then parse the JWT. And if the token says it is valid -we believe. But deployments in some cases can invalidate the tokens straight on the keycloak side.
We have a few solutions here:
- make sure that helm upgrades do not invalidate tokens
- increase the verbosity of some logging in the gateway - currently a lot of messages that indicate that a token was expired or is not found are
Debug so they never show up in production logs, but these should be more like warnings and should how up
Additional quality of life improvement is the ability to log all users out by calling an endpoint on the gateway. This can then be used by Renku admins after a Renku deployment. When the endpoint is called then it will clear all active sessions and tokens.
This is perhaps related to errors like this:
https://sentry.dev.renku.ch/organizations/sentry/issues/3051/?project=13&project=2&query=is%3Aunresolved&referrer=issue-stream
The gateway does not call keycloak to validate access tokens. So what can happen is that if the tokens issued by keycloak are somehow invalidated (i.e. by a new renku deployment) then the gateway will not be able to tell. Because all the gateway does is just validate the token signature and then parse the JWT. And if the token says it is valid -we believe. But deployments in some cases can invalidate the tokens straight on the keycloak side.
We have a few solutions here:
Debugso they never show up in production logs, but these should be more like warnings and should how upAdditional quality of life improvement is the ability to log all users out by calling an endpoint on the gateway. This can then be used by Renku admins after a Renku deployment. When the endpoint is called then it will clear all active sessions and tokens.