Incorrect 'peer_type' claim for OPAL jwt token: PeerType.client, expected: PeerType.datasource #197

hongbo-miao · 2021-12-15T03:10:07Z

hongbo-miao
Dec 15, 2021

I generated my opal-client's JWT token by using master token like

curl --location --request POST 'http://localhost:7002/token' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer IWjW0bYcTIfm6Y5JNjp4DdgopC6rYSxT4yrPbtLiTU0' \
--data-raw '{
  "type": "client",
  "claims": {
      "client_id": "hm-opal-client"
  }
}'

Today when I run

curl --location --request POST 'http://localhost:7002/data/config' \
--header 'secret-key: $2b$10$7.4T5xO.vcx2Z2J0KUDurOLidECKrlYEhJCDvPprTuKIZhjLHwGYW' \
--header 'Authorization: Bearer xxx' \
--header 'Content-Type: application/json' \
--data-raw '{
    "entries": [
        {
            "url": "postgresql://[email protected]:40072/opa_db",
            "config": {
                "fetcher": "PostgresFetchProvider",
                "query": "select role, allow from roles;",
                "connection_params": {
                    "password": "passw0rd"
                },
                "dict_key": "role"
            },
            "topics": [
                "policy_data"
            ],
            "dst_path": "roles"
        }
    ],
    "reason": "update roles"
}'

I got error

{
    "detail": {
        "error": "Incorrect 'peer_type' claim for OPAL jwt token: PeerType.client, expected: PeerType.datasource"
    }
}

Any idea? Thanks!

Answered by orweis

Dec 15, 2021

Hi Hongbo - OPAL supports multiple types of JWT tokens for clients -
one allowing to subscribe to topics, and another for data-sources publishing events (which is the type of token you require here).

Check out the guide here
You'll see the token creation request requires the additional type flag to be set to datasource

curl --request POST 'https://opal.yourdomain.com/token' \
--header 'Authorization: Bearer MY_MASTER_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
  "type": "datasource",
}'

or as CLI command:
opal-client obtain-token MY_MASTER_TOKEN --uri=https://opal.yourdomain.com --type datasource

This is an important security measure, so you can make sure not every…

View full answer

orweis · 2021-12-15T09:23:02Z

orweis
Dec 15, 2021
Maintainer

Hi Hongbo - OPAL supports multiple types of JWT tokens for clients -
one allowing to subscribe to topics, and another for data-sources publishing events (which is the type of token you require here).

Check out the guide here
You'll see the token creation request requires the additional type flag to be set to datasource

curl --request POST 'https://opal.yourdomain.com/token' \
--header 'Authorization: Bearer MY_MASTER_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
  "type": "datasource",
}'

or as CLI command:
opal-client obtain-token MY_MASTER_TOKEN --uri=https://opal.yourdomain.com --type datasource

This is an important security measure, so you can make sure not everyone connected to the OPAL Pub/Sub network can send updates, but only those who are designed to.

1 reply

hongbo-miao Dec 15, 2021
Author

Thanks @orweis ! Oh, before "type": "client" works, now it is "type": "datasource"!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Incorrect 'peer_type' claim for OPAL jwt token: PeerType.client, expected: PeerType.datasource #197

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Incorrect 'peer_type' claim for OPAL jwt token: PeerType.client, expected: PeerType.datasource #197

hongbo-miao Dec 15, 2021

Replies: 1 comment · 1 reply

orweis Dec 15, 2021 Maintainer

hongbo-miao Dec 15, 2021 Author

hongbo-miao
Dec 15, 2021

Replies: 1 comment 1 reply

orweis
Dec 15, 2021
Maintainer

hongbo-miao Dec 15, 2021
Author