Mike - Hi, we're getting this error when creati...
Hi, we're getting this error when creating a user token with ABAC
Failed to generate JWT Token: The requested token exceeds the prescribed limit I have a couple of questions related to this:
1. We are creating a token using the beta endpoint /api/rest/2.0/auth/token/full if we migrate to the /api/rest/2.0/auth/token/custom endpoint will there still be a character limit?
2. Can we increase this character limit for our environment? (We're hitting this limit because one of our ABAC columns contains a lot of values - we're unable to change this requirements)
3. Is there another way to solve this?
Thanks!Migrate ABAC BETA implementation to custom token API
Steps for migrating your implementation to use custom token API workflow
6 Replies
Yes we have identified some flags that can help you with this. The support team should contact you with the next steps
The following command eliminates any limit on tokens being generated. This applies to both BETA and GA endpoints:
tscli --adv service add-javaopt tomcat.tomcat D orion.jwtMinifiedCriteria COMPLETE
Raise a support case to run the above command on the cluster.
Transitioning from BETA to GA Endpoints
When moving from the BETA endpoint (/api/rest/2.0/auth/token/full) to the GA endpoint (/api/rest/2.0/auth/token/custom), keep the following points in mind:
1. Feature Flag Dependency:
Rules set using the GA endpoint will only take effect when the mandatoryTokenFeatureFilterEnabled flag is set to TRUE.
2. Rules from BETA Still Active:
Until the mandatoryTokenFeatureFilterEnabled flag is enabled, rules set through BETA endpoints will continue to be honored.
3. Rule Transition:
Before enabling the mandatoryTokenFeatureFilterEnabled feature, ensure all rules configured via the BETA endpoint are reconfigured through the GA endpoint.
• Note: You can set rules via the GA endpoint even if the mandatoryTokenFeatureFilterEnabled flag is not enabled. This facilitates a smooth transition.
4. Enable Feature Flag:
After migrating the rules from BETA to GA, submit a support case to request that the mandatoryTokenFeatureFilterEnabled flag be turned ON.
Note: Specify the object type as LOGICAL_TABLE. The LIVEBOARD and ANSWER object types are not supported.
If you experience any issues, let us know and we can help out.Hi Sandeep, can we enable both BETA and GA on our cluster whilst we do the migration? Thanks
Hi @Mike:
You can use the /api/rest/2.0/auth/token/custom endpoint to set user parameters without enabling the GA feature. Once you’re confident that all rules are properly configured using the GA endpoint, you should submit a support request to enable the mandatoryTokenFeatureFilterEnabled(GA) flag.
If you need to check the token filters at any point, you can do so through the GA and BET endpoints. Please refer to user_parameters(BETA) and access_control_properties(GA) via the /api/rest/2.0/users/search endpoint.
Let us know if you need further assistance!
Hi Sandeep, thanks for your reply. So just to confirm, with a configuration like this:
jwTokenFeatureEnabled = true
mandatoryTokenFilterFeatureEnabled = false
We can use either the /api/rest/2.0/auth/token/full or /api/rest/2.0/auth/token/custom endpoints (whilst changing the token filter properties) to generate valid tokens?
That will allow us to release a change and move over to the custom endpoint before we then update the configuration above?Yes, that's right. the filters set via
/api/rest/2.0/auth/token/custom will have no effect until the mandatoryTokenFilterFeatureEnabled is enabled.