"Key has expired, please renew" Problem


#1

Hi Folks,

I’ve been running Tyk in development for quite some time (18 months), I haven’t seen this issue before. I see that there have been some reports about it on the forums from the last few years), but I think this is a new development due to an update in Tyk.

We have JWT files that expire in 24 hours. After 24 hours, we log in again to get a new JWT, but the error persists (Key has expired, please renew). My suspicion that this is a new problem is evidenced by the fact that I have a separate server that hasn’t been refreshed with the new Tyk container, and it does not exhibit this problem. I also suspect that this problem is only a week old - perhaps I missed an announcement, or I have an old config or something, but with no changes on our end, I suspect that this is related to a software update.

I’ve been looking around Redis to see what I can learn, and I can resolve this issue if I remove the keys that start with apikey-* (apikey-91496527 for example). Looking at the values, the expiration of these key appears to be correct, but they are not updating when the user logs in again after the 24 hours have expired. Once I remove the user’s record from Redis, the user gets access again - the same key is recreated and the expiration is updated in the value object.

To reiterate, here’s the sequence of events:

  • User logs in - Redis record is created -> User can access API’s
  • Wait 24 hours -> User can’t access API’s
  • User Logs in again, gets new JWT with new expiration - > User can’t access API’s
  • Delete the apikey-* from Redis -> User can access API’s (new record with same key is created).

Basically, Redis isn’t updating when a user logs in if the key already exists for that user.

Happy to provide more information, just let me know what you need.

Thanks.


#2

Can you clarify version you had before and where you upgraded to?

It feels like policy used to create this JWT keys has expiration, can it be the case?

Thank you!


#3

The policy had no expiration (-1). I always pull ‘latest’ from the Docker hub.

Again, nothing has changed on my end.

Thanks.


#4

If image ID’s help:

Works:

REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
tykio/tyk-gateway   latest              1223c8931f48        6 months ago        324MB

Problem Exists:

REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
tykio/tyk-gateway   latest              620379bd9231        10 days ago         359MB

#5

I’m going to downgrade to v2.7.7 and see how that fares. Will have more tomorrow.


#6

UPDATE: The downgrade has resolved the problem. So either v.2.8.0 introduced a bug, or what I have on my end for a config is in need of an upgrade.

Advice?

Thanks.