Axon Server v2023.1 standalone access control broken?

klauss42 · September 5, 2023, 9:50am

We were using Axon Server v4.8 with access control and after upgrading to v2023.1 the applications cannot connect anymore.

I reproduced this using local Docker containers:

Create a fresh and empty Axon Server without access control:

$ rm -rf $(pwd)/vol
$ mkdir -p $(pwd)/vol/data $(pwd)/vol/events $(pwd)/vol/plugins

$ docker run --rm \
--name axonserver \
--hostname axonserver \
-e AXONIQ_AXONSERVER_STANDALONE=true \
-p 8024:8024 -p 8124:8124 \
-v $(pwd)/vol/data/:/axonserver/data \
-v $(pwd)/vol/events:/axonserver/events \
-v $(pwd)/vol/plugins:/axonserver/plugins \
axoniq/axonserver:2023.1.2-jdk-17-dev-nonroot

Connecting using CLI works:

$ ./axonserver-cli-2023.1.1.jar contexts
Name                 Leader               Replication Group    Members
_admin               axonserver           _admin               axonserver[PRIMARY]
default              axonserver           default              axonserver[PRIMARY]

Activate access control:

$ docker run --rm \
--name axonserver \
--hostname axonserver \
-e AXONIQ_AXONSERVER_STANDALONE=true \
-e AXONIQ_AXONSERVER_ACCESSCONTROL_ENABLED=true \
-e AXONIQ_AXONSERVER_ACCESSCONTROL_TOKEN=secret \
-e AXONIQ_AXONSERVER_ACCESSCONTROL_ADMINTOKEN=secret \
-p 8024:8024 -p 8124:8124 \
-v $(pwd)/vol/data/:/axonserver/data \
-v $(pwd)/vol/events:/axonserver/events \
-v $(pwd)/vol/plugins:/axonserver/plugins \
axoniq/axonserver:2023.1.2-jdk-17-dev-nonroot

Using CLI with above admin token produces ‘Invalid token’ error:

$ ./axonserver-cli-2023.1.1.jar contexts --access-token secret
Error processing command 'contexts' on 'http://localhost:8024/v1/public/context': HTTP/1.1 403  - Invalid token

If using the token from security/.token from inside the docker container, CLI connection works:

$ docker exec axonserver cat security/.token
73dc39a7-85f3-4e3a-885f-93f0dedacc5a

$ ./axonserver-cli-2023.1.1.jar contexts --access-token 73dc39a7-85f3-4e3a-885f-93f0dedacc5a
Name                 Leader               Replication Group    Members
_admin               axonserver           _admin               axonserver[PRIMARY]
default              axonserver           default              axonserver[PRIMARY]

Is this a bug? Or is the documentation wrong?

Klaus

saratry · September 5, 2023, 2:31pm

Hi Klaus,
actually this is an issue in the documentation.
Starting from version 2023.1, the tokens in the properties are not used anymore.
The tokens should be defined by adding applications.

We will update the documentation as soon as possible.
Thank you,

Sara

klauss42 · September 5, 2023, 4:04pm

Hi Sara
thanks for replying.
In the meantime I found out by trial and error

Seems that even for a standalone (SE) server I have to register an application.
But it is quite tricky, as my Axon Server has been upgraded from v4.8 and then the server looked fine so far. There were also app registrations (I think named “Admin Application” + “User Application”) after the upgrade, but the apps could not connect using the previous tokens.

I worked around this by deleting all apps in Axon Server and re-registered 1 app with the old token. Then the apps could connect again.

A proper documentation of the upgrade/migration steps needed for SE users would be very helpful.

Klaus