I'm getting 401 unauthorized when sending the access token from Kubernetes

Get Help
,
1

Why do I get the access token from my app running on Kubernetes and it says it’s invalid?

All these services are running in minikube k8s, and I would like to know why I am having this problem, this is my code.

This is my configMap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: appmic-e-commerceplugins-maintenance
data:
  lb_auth_issuer_uri: "http://appmic-e-commerceplugins-auth:9001"
  lb_maintenance_uri: "http://appmic-e-commerceplugins-maintenance:9090"
  ms-maintenance_name: "http://appmic-e-commerceplugins-maintenance/api/users/login"
  port: "9090"
  db_host: "mysql:3306"
  database: "maintenance_service"

This is the application.yml of my maintenance microservice that connects to the oauth microservice to generate the access token.

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: ${LB_AUTH_ISSUER_URI:http://127.0.0.1:9001}
      client:
        registration:
          maintenance-client:
            provider: spring
            client-id: maintenance-client
            client-secret: 12345
            authorization-grant-type: authorization_code
            redirect-uri: ${LB_MAINTENANCE_URI:http://127.0.0.1:9090}/api/users/authorized
            scope:
              - openid
              - profile
              - read
              - write
            client-name: maintenance-client
        provider:
          spring:
            issuer-uri: ${LB_AUTH_ISSUER_URI:http://127.0.0.1:9001}

This is the configuration file for the maintenance microservice pod.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: appmic-e-commerceplugins-maintenance
spec:
  replicas: 1
  selector:
    matchLabels:
      app: appmic-e-commerceplugins-maintenance
  template:
    metadata:
      labels:
        app: appmic-e-commerceplugins-maintenance
    spec:
      containers:
      - image: alexanderpe/appmic-e-commerceplugins-maintenance:latest
        name: appmic-e-commerceplugins-maintenance
        ports:
        - containerPort: 9090
        env:
          - name: LB_AUTH_ISSUER_URI
            valueFrom:
              configMapKeyRef:
                name: appmic-e-commerceplugins-maintenance
                key: lb_auth_issuer_uri
          - name: LB_MAINTENANCE_URI
            valueFrom:
              configMapKeyRef:
                name: appmic-e-commerceplugins-maintenance
                key: lb_maintenance_uri
          - name: MY_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: MY_POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name: PORT
            valueFrom:
              configMapKeyRef:
                name: appmic-e-commerceplugins-maintenance
                key: port
          - name: DB_HOST
            valueFrom:
              configMapKeyRef:
                name: appmic-e-commerceplugins-maintenance
                key: db_host
          - name: DB_DATABASE
            valueFrom:
              configMapKeyRef:
                name: appmic-e-commerceplugins-maintenance
                key: database
          - name: DB_USERNAME
            valueFrom:
              secretKeyRef:
                name: appmic-e-commerceplugins-maintenance
                key: username
          - name: DB_PASSWORD
            valueFrom:
              secretKeyRef:
                name: appmic-e-commerceplugins-maintenance
                key: password
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /etc/credentials/credentials.json
        volumeMounts:
          - name: google-drive-credentials
            mountPath: /etc/credentials
            readOnly: true
      volumes:
        - name: google-drive-credentials
          secret:
            secretName: google-drive-credentials

This is the configuration file for the OAuth microservice pod.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: appmic-e-commerceplugins-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      role: appmic-e-commerceplugins-auth
  template:
    metadata:
      labels:
        role: appmic-e-commerceplugins-auth
    spec:
      containers:
        - image: alexanderpe/appmic-e-commerceplugins-auth:latest
          name: appmic-e-commerceplugins-auth
          ports:
            - containerPort: 9001
          env:
            - name: LB_MAINTENANCE_URI
              valueFrom:
                configMapKeyRef:
                  name: appmic-e-commerceplugins-maintenance
                  key: lb_maintenance_uri
            - name: MS_MAINTENANCE_NAME
              valueFrom:
                configMapKeyRef:
                  name: appmic-e-commerceplugins-maintenance
                  key: ms-maintenance_name
---
apiVersion: v1
kind: Service
metadata:
  name: appmic-e-commerceplugins-auth
spec:
  type: LoadBalancer
  ports:
    - protocol: TCP
      port: 9001
      targetPort: 9001
  selector:
    role: appmic-e-commerceplugins-auth
3

Hi @alexanderfuentes1999

Welcome to the Auth0 Community!

Thank you for posting your question. Invalid access token would most likely mean that your access token is opaque, its only purpose is to be used with the /userinfo endpoint → https://auth0.com/docs/secure/tokens/access-tokens#opaque-access-tokens. Please make sure that the app is adding the audience parameter to the calls → https://auth0.com/docs/secure/tokens/access-tokens/get-access-tokens

Thanks
Dawid

4

I don’t understand, what should I do first. I get the access_token like this
http://127.0.0.1:9090/oauth2/authorization/maintenance-client
after
Then I log in to the oauth service, which ******** and password ******* and finally it returns the code to me like this.

http://127.0.0.1:9090/api/users/authorized?code=Cwb8exC-yKHBJpjDElkUX3ViHvu64DnCTjC-UhjTLIEwXKYECogKfpFUprpbvZTBx1MfjvVJJq2XpEPb6Z7MBk4ggQ8dP_ilOvn8yTfC50sneN4KfRLr1L61ZSGaibhY&state=sM6CDQv_ApCIrOHc3iZfOKCwqtRjFPMKorcT-EDZcPs%3D
finally I make a post to this url from postman 127.0.0.1:9089/oauth2/token

code: Cwb8exC-yKHBJpjDElkUX3ViHvu64DnCTjC-UhjTLIEwXKYECogKfpFUprpbvZTBx1MfjvVJJq2XpEPb6Z7MBk4ggQ8dP_ilOvn8yTfC50sneN4KfRLr1L61ZSGaibhY&state=sM6CDQv_ApCIrOHc3iZfOKCwqtRjFPMKorcT-EDZcPs
grant_type: authorization_code
redirect_uri: http://appmic-e-commerceplugins-maintenance:9090/api/users/authorized

and there it returns the access_token, however, it is invalid 401, but when I test locally, it works. I think the problem is that the issuer is different