Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POST /saf/authenticate often returns blank jwt #725

Open
jthyssenrocket opened this issue Aug 20, 2024 · 8 comments
Open

POST /saf/authenticate often returns blank jwt #725

jthyssenrocket opened this issue Aug 20, 2024 · 8 comments
Labels
bug Something isn't working new not yet triaged

Comments

@jthyssenrocket
Copy link

I am using zssServer POST /saf/authenticate to generate RACF Identity Tokens (IDTs).
Zowe 2.17, z/OS 3.1

Input JSON is:

{
  "username": "{{userid}}",
  "pass": "{{password}}",
  "appl": "{{appl}}"
}

Sometimes the API returns the JWT:

{
    "jwt": "ey[...snip]PU"
}

but very often it returns a blank JWT:

{
    "jwt": ""
}

I do not see any messages in the Zowe address space ZWESLSTC nor on the SYSLOG
@jthyssenrocket jthyssenrocket added bug Something isn't working new not yet triaged labels Aug 20, 2024
@jthyssenrocket
Copy link
Author 

in authServiceFunction, parm = 0x226E6980                                    
handleGenerateToken(): username = <userid>, password = ******                  
safVerify(VERIFY_CREATE) safStatus = 0, RACF RC = 0, RSN = 0, ACEE=0x7FF714D8
IDTA token: gen_rc = 0, prop_out = 0, prop_in = 8000 token length = 0        
safVerify(VERIFY_DELETE) safStatus = 0, RACF RC = 0, RSN = 0, ACEE=0x7FF714D8
handleGenerateToken() done rc = 0

@JoeNemo
Copy link
Contributor

JoeNemo commented Aug 21, 2024

Is this a regression? Was this working correctly and consistently in an earlier release? Does this happen randomly with the same input? If we can reproduce with any decent probability that would be good.

@jthyssenrocket
Copy link
Author

I only became interested in JWTs a month or two ago, so I haven't tried the API In the past.

@jthyssenrocket
Copy link
Author

A good start might be to print IDTA_SAF_IDT_Return and IDTA_IDT_Gen_RC as indicated here https://www.ibm.com/docs/en/zos/3.1.0?topic=zssrmr-activating-using-idta-parameter-in-racroute-requestverify-initacee#idtaparam__section_ehwg_idt__title__1

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs, but can be reopened if needed. Thank you for your contributions.

@github-actions github-actions bot added the stale-reopen-if-needed An issue closed due to inactivity. No indication of completion or validity. label Feb 17, 2025
@jthyssenrocket
Copy link
Author

This is still an issue on Zowe v3

@github-actions github-actions bot removed the stale-reopen-if-needed An issue closed due to inactivity. No indication of completion or validity. label Feb 18, 2025
@JoeNemo
Copy link
Contributor

JoeNemo commented Feb 19, 2025

Aside from specific testing, what products are using this service. It is probably not in our basic testing or default Zowe configuration.

@jthyssenrocket
Copy link
Author

We've used it internally for testing a different product that supports RACF IDTs, but is also considering using it for a Zowe based product.

Let's close it for now, and we'll have to reopen when we have solid plans for exploitation of IDTs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working new not yet triaged
Projects
zOS Squad Board
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JoeNemo @jthyssenrocket