Key Expired error

I’m working with OIDC on my test endpoint. This was successful during initial testing, however, I’m now getting:

{
    "error": "Key has expired, please renew"
}

However, I get this now no matter what I do. I’ve deleted the API and associated policy altogether, and when I recreate it - I still get this error. This all happens with one account I’ve been using to authenticate (other accounts I use give me tokens that work fine).

Any thoughts on this?

1 Like

Can you share the JWT and the associated policy?

Yep - shared in PM…

Deleting the API has no effect on the JWT/internal token used - you owuld need to delete the token itself to effecdt any change.

However, that token expired on 1499928999 (07/13/2017 @ 6:56am (UTC)) and it was giving the expired message before then?

Well, that key now says it’s not authorized. I just generated a new one (in your PM) which also says “Key has expired, please renew”.

I realize I didn’t specifically answer your question: Yes, even immediately after generating a token (with a 1 hour exp time from the time it’s generated), it says it’s expired.

1 Like

Hmmm, it may be the underlying key that was generated for this user, if you use a different user to generate a JWK, do you still get this?

Yes, I do think this is the case (the underlying key is “stuck”). If I use a different user to generate a JWT it works fine. I still can’t generate a key for my test user (which is actually me!). How do I get it unstuck?

This could be a bit tricky - you need to find the internal token representation of the key.

This is:

OrgID+MD5(sub)

So your org ID plus the md5 of the sun claim in the JWT.

You should be able to lookup this key in the dashboard and then delete it.

The other option is to use the raw key operator where you can delete the hashed ID. I need to look that up though :-/

Ok, so you can delete the hashed key directly using:

curl -X DELETE \
  'http://gateway/:port/tyk/keys/hashed-key?hashed=true' 

You can find the hashed key in your analytics by key section.

This will delete the hashed representation of the token.

Thanks Martin - sorry, I was pulled away from this with an emergency for a few days. Ok - so can you clarify the URL I need to use for Tyk cloud? (that’s where this is happening…)

The cloud URL is restricted to managing portal developer keys, it’s highly restricted so it won;t work via the dashboard. Are you using pure cloud or Hybrid?

I’m using hybrid - but the URL that I’ve been calling is the cloud one.

Right, so on the cloud we may be a bit stuck :slight_smile:

With JWTs all the work and storage is local for tokens so you can just call the endpoint on your hybrid gateway to remove the key.

Ok - I’ve tried deleting every variation of this hashed key I can think of on my local tyk (hybrid) instances. It always returns:

{"key":"xxxxxx","status":"ok","action":"deleted"}

But no matter what, I still keep getting the error:

"error": "Key has expired, please renew"

Out of desperation, I shut down all of our tyk servers, waited for them to all be completely down. I’m still getting the same error. Any other thoughts?

[Edit: I’m still a little unclear about why these local tyk instances are involved when I’m calling the tyk cloud endpoint though…]

This endpoint won’t help yu if you are trying to access the cloud endpoint, only if yuare running traffic via your hybrids.

Does the key work on your hybrid instance?

I don’t know - we’re not intending to use it there, we need it to work on the cloud instance. The internal instance isn’t exposed to where we’re testing from either in this case.

I guess, ultimately I’m looking for - how do we fix this?

I’ve responded to the ticket. We will need the hash of the key and then we will need to delete it for you.

Does the policy that is attached to this IDP have an expiry date set? If so, I’d recommend inserting it since the JWT varies its own expiry date.

Thanks - the key was provided in the ticket. I have it set to not expire in the policy, will that cause an issue? Do you mean - I should set an expiration under the “Trial period (Set key expiry on create)” section?

If I do that, and it expires - won’t we be back in the same boat again, where you have to delete the key for me before I can use a new one?

No, don;t set it, it might cause the underlying key to expire. Was just checking if this was the cause of the key getting stuck…