2

We have several groups in Artifactory Cloud which have a 'non-admin access token' assigned to them. This setup did work without an issue for almost one year. But since yesterday we're not able to use any of the group tokens anymore. Created a new group token today, but still doesn't work.

While checking the "Artifactory System logs" in the admin UI, it seems the Artifactory service was restarted yesterday (on which our depending jobs started to fail). The logs contain a lot of "Principal mismatch for token with id '[ID]'" messages.

  • Debugging using curl gives us: "error 401 - Token principal mismatch"
  • Performing the same step with an incorrect token indeed gives: "error 401 - Bad Credentials"
  • Using the same curl statement with user/pass, works perfectly.

My conclusion is that authentication of the group tokens still works, but somehow the next step (= principal mismatch ?) is failing. Any idea how to fix this? Thanks in advance!

--Edit--

  • Artifactory version: 7.23.3
  • Revision: 72303900
  • PostgreSQL: 9.6.20

We are using Python code from this REPO to generate group token (worked without issue last week): https://pypi.org/project/pyartifactory/1.9.1/

token = art.security.create_access_token(user_name=group_name,
                                 groups=[group.name],
                                 refreshable=False,
                                 expires_in=0)

Used this curl statement for testing:

curl -O "https://$CRED@[subscription_name].jfrog.io/artifactory/[location to Python wheel]"

If $CRED is [Username]:[Password] it works fine, but [Group]:[API token] is not working (which used to work before last Sunday; issue is with both new and existing groups/tokens).

123mark567
  • 21
  • 4
  • can you please share: 1. artifactory version 2. exact steps to reproduce - token creation command ? – Maxim Y Aug 09 '21 at 15:49
  • if you're providing both subject and token in the same command it might be that the token audience isn't the same as the provided username. Regarding the feature breaking - is it possible that an upgrade was done? or the actions taken changed? – Maxim Y Aug 09 '21 at 15:53
  • As this is cloud SaaS service, we have no control about the version / upgrades (provided by JFrog). Changed my initial post a bit to include your requested info. – 123mark567 Aug 10 '21 at 10:49
  • what is the action that is then done with this token? if you're passing basic creds with username value different from param you send to token creation API (in your example it's group_name) than it'll fail. Needs to be the same – Maxim Y Aug 11 '21 at 10:35
  • Used above curl statement for testing (downloading a Python Wheel file) – 123mark567 Aug 12 '21 at 08:17
  • not sure it's related but FYI there was a small regression with case sensitivity of username. It should be resolved now. Will be released in 7.25.x upcoming patch – Maxim Y Aug 30 '21 at 07:58

1 Answers1

0

You can't use group name as username in basic auth. Try bearer auth:

curl -O "https://[subscription_name].jfrog.io/artifactory/[location to Python wheel]" -H "Authoriazation: Bearer [API token]"

Checkout basic/bearer SO thread

Maxim Y
  • 339
  • 1
  • 6