Axon Server v2023.1 standalone access control broken?

We were using Axon Server v4.8 with access control and after upgrading to v2023.1 the applications cannot connect anymore.

I reproduced this using local Docker containers:

Create a fresh and empty Axon Server without access control:

$ rm -rf $(pwd)/vol
$ mkdir -p $(pwd)/vol/data $(pwd)/vol/events $(pwd)/vol/plugins

$ docker run --rm \
--name axonserver \
--hostname axonserver \
-e AXONIQ_AXONSERVER_STANDALONE=true \
-p 8024:8024 -p 8124:8124 \
-v $(pwd)/vol/data/:/axonserver/data \
-v $(pwd)/vol/events:/axonserver/events \
-v $(pwd)/vol/plugins:/axonserver/plugins \
axoniq/axonserver:2023.1.2-jdk-17-dev-nonroot

Connecting using CLI works:

$ ./axonserver-cli-2023.1.1.jar contexts
Name                 Leader               Replication Group    Members
_admin               axonserver           _admin               axonserver[PRIMARY]
default              axonserver           default              axonserver[PRIMARY]

Activate access control:

$ docker run --rm \
--name axonserver \
--hostname axonserver \
-e AXONIQ_AXONSERVER_STANDALONE=true \
-e AXONIQ_AXONSERVER_ACCESSCONTROL_ENABLED=true \
-e AXONIQ_AXONSERVER_ACCESSCONTROL_TOKEN=secret \
-e AXONIQ_AXONSERVER_ACCESSCONTROL_ADMINTOKEN=secret \
-p 8024:8024 -p 8124:8124 \
-v $(pwd)/vol/data/:/axonserver/data \
-v $(pwd)/vol/events:/axonserver/events \
-v $(pwd)/vol/plugins:/axonserver/plugins \
axoniq/axonserver:2023.1.2-jdk-17-dev-nonroot

Using CLI with above admin token produces ‘Invalid token’ error:

$ ./axonserver-cli-2023.1.1.jar contexts --access-token secret
Error processing command 'contexts' on 'http://localhost:8024/v1/public/context': HTTP/1.1 403  - Invalid token

If using the token from security/.token from inside the docker container, CLI connection works:

$ docker exec axonserver cat security/.token
73dc39a7-85f3-4e3a-885f-93f0dedacc5a

$ ./axonserver-cli-2023.1.1.jar contexts --access-token 73dc39a7-85f3-4e3a-885f-93f0dedacc5a
Name                 Leader               Replication Group    Members
_admin               axonserver           _admin               axonserver[PRIMARY]
default              axonserver           default              axonserver[PRIMARY]

Is this a bug? Or is the documentation wrong?

Klaus

Hi Klaus,
actually this is an issue in the documentation.
Starting from version 2023.1, the tokens in the properties are not used anymore.
The tokens should be defined by adding applications.

We will update the documentation as soon as possible.
Thank you,

Sara

Hi Sara
thanks for replying.
In the meantime I found out by trial and error :slight_smile:

Seems that even for a standalone (SE) server I have to register an application.
But it is quite tricky, as my Axon Server has been upgraded from v4.8 and then the server looked fine so far. There were also app registrations (I think named “Admin Application” + “User Application”) after the upgrade, but the apps could not connect using the previous tokens.

I worked around this by deleting all apps in Axon Server and re-registered 1 app with the old token. Then the apps could connect again.

A proper documentation of the upgrade/migration steps needed for SE users would be very helpful.

Klaus

@saratry I think documentation needs much more love since new Axon Server plans were launched.

It doesn’t explain upgrade procedure going from 4.x series to 2023/2024.x. Especially it’s not clear what happens when upgrading SE version. I just did such upgrade and had to go through various issues:

  1. Developer plan (successor for SE) cannot have more than one API Application so system scheduler job which is trying to create Admin Application + User Application on upgraded instance is essentially stuck. You have to delete scheduler and create just one API Application.
  2. Multiple users are no longer supported in Developer and Starter plan so before you can connect to Axon Server UI you have to delete all the users except one via CLI.
  3. Documentation mentions that various CLI commands, like register-application for example, are available only for Enterprise Edition but that is no longer true. Most of the functionality is actually available though with limitations mentioned above.