glpi-project
Rest API - Invalid key supplied
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
Is there an existing issue for this?
- [x] I have searched the existing issues
Version
11.0.0-beta4
Bug description
Server gives 500 (Internal Server Error) after trying to attempt an authentication via API using both of the methods (by authorization code or by password)
Relevant log output
glpi.ERROR: *** Caught LogicException: Invalid key supplied
Backtrace :
./vendor/league/oauth2-server/src/CryptKey.php:72
.../league/oauth2-server/src/ResourceServer.php:31 League\OAuth2\Server\CryptKey->__construct()
./src/Glpi/OAuth/Server.php:100 League\OAuth2\Server\ResourceServer->__construct()
./src/Glpi/OAuth/Server.php:137 Glpi\OAuth\Server->__construct()
./src/Glpi/OAuth/Server.php:144 Glpi\OAuth\Server::getInstance()
...c/Glpi/Api/HL/Controller/CoreController.php:454 Glpi\OAuth\Server::getAuthorizationServer()
: Glpi\Api\HL\Controller\CoreController->token()
./src/Glpi/Api/HL/RoutePath.php:476 ReflectionMethod->invoke()
./src/Glpi/Api/HL/Router.php:678 Glpi\Api\HL\RoutePath->invoke()
./src/Glpi/Controller/ApiController.php:96 Glpi\Api\HL\Router->handleRequest()
./vendor/symfony/http-kernel/HttpKernel.php:181 Glpi\Controller\ApiController->__invoke()
./vendor/symfony/http-kernel/HttpKernel.php:76 Symfony\Component\HttpKernel\HttpKernel->handleRaw()
./vendor/symfony/http-kernel/Kernel.php:197 Symfony\Component\HttpKernel\HttpKernel->handle()
./public/index.php:56 Symfony\Component\HttpKernel\Kernel->handle()
Page URL
http://glpiurl.com/api.php/authorize
Steps To reproduce
- Call REST API through any API platform or via /api.php/v2/doc
- Error 500 is given
Your GLPI setup information
GLPI information
GLPI: 11.0.0-dev ( => /usr/share/glpi11) Installation mode: TARBALL Current language: en_US
Server
Operating system: Linux MYHOST 5.14.0-427.40.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Oct 16 07:08:17 EDT 2024 x86_64PHP: 8.3.13 fpm-fcgi
PHP extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, random, Reflection, SPL, session, standard, sockets, cgi-fcgi, bcmath, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, imap, intl, ldap, exif, mysqlnd, PDO, Phar, SimpleXML, soap, sodium, sqlite3, tokenizer, xml, xmlwriter, xsl, mysqli, pdo_mysql, pdo_sqlite, xmlreader, xmlrpc, zip, apcu, selinux, Zend OPcache
Setup: max_execution_time="30" memory_limit="128M" post_max_size="20M" safe_mode="" session.save_handler="files" upload_max_filesize="20M" disable_functions=""
Web server: Apache/2.4.57 (AlmaLinux) OpenSSL/3.0.7 ()
User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0
Database:
Server Software: Percona Server (GPL), Release 30, Revision 41ebc5d9
Server Version: 8.0.39-30
Server SQL Mode: STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION
Parameters: [email protected]/glpi11
Host info: 127.0.0.1 via TCP/IP
Requirements: PHP version (8.3.13) is supported. OS and PHP are relying on 64 bits integers. Sessions configuration is OK. Allocated memory is sufficient. Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter. mysqli extension is installed. curl extension is installed. gd extension is installed. intl extension is installed. mbstring extension is installed. zlib extension is installed. bcmath extension is installed. The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present. openssl extension is installed. Database engine version (8.0.39) is supported. No files from previous GLPI version detected. The log file has been created successfully. Write access to /var/lib/glpi11/files/_cache has been validated. Write access to /var/lib/glpi11/files/_cron has been validated. Write access to /var/lib/glpi11/files has been validated. Write access to /var/lib/glpi11/files/_graphs has been validated. Write access to /var/lib/glpi11/files/_lock has been validated. Write access to /var/lib/glpi11/files/_pictures has been validated. Write access to /var/lib/glpi11/files/_plugins has been validated. Write access to /var/lib/glpi11/files/_rss has been validated. Write access to /var/lib/glpi11/files/_sessions has been validated. Write access to /var/lib/glpi11/files/_tmp has been validated. Write access to /var/lib/glpi11/files/_uploads has been validated. For security reasons, SELinux mode should be Enforcing.
Sessions configuration is secured. exif extension is installed. ldap extension is installed. openssl extension is installed. Following extensions are installed: bz2, Phar, zip. Zend OPcache extension is installed. Following extensions are installed: ctype, iconv, sodium. Write access to /usr/share/glpi11/marketplace has been validated. Timezones seems loaded in database.
GLPI constants
GLPI_ROOT: "/usr/share/glpi11" GLPI_VERSION: "11.0.0-dev" GLPI_SCHEMA_VERSION: "11.0.0-dev@3e09895a6dd676834c637533b49623b5b20aaac2" GLPI_FILES_VERSION: "11.0.0-dev-155ba6de" GLPI_MIN_PHP: "8.2" GLPI_MAX_PHP: "8.4" GLPI_YEAR: "2025" GLPI_I18N_DIR: "/usr/share/glpi11/locales" GLPI_CONFIG_DIR: "/etc/glpi11" GLPI_MARKETPLACE_ALLOW_OVERRIDE: false GLPI_VAR_DIR: "/var/lib/glpi11/files" GLPI_LOG_DIR: "/var/log/glpi11" GLPI_SYSTEM_CRON: true GLPI_ENVIRONMENT_TYPE: "production" GLPI_MARKETPLACE_DIR: "/usr/share/glpi11/marketplace" GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false GLPI_SERVERSIDE_URL_ALLOWLIST: ["#^http://[^@:]+(:80)?(/.)?$#","#^https://[^@:]+(:443)?(/.)?$#","#^feed://[^@:]+(/.)?$#"] GLPI_DISALLOWED_UPLOADS_PATTERN: "/\.(php\d|phar)$/i" GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org" GLPI_INSTALL_MODE: "TARBALL" GLPI_NETWORK_MAIL: "[email protected]" GLPI_NETWORK_SERVICES: "https://services.glpi-network.com" GLPI_MARKETPLACE_ENABLE: 3 GLPI_MARKETPLACE_PRERELEASES: true GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true GLPI_USER_AGENT_EXTRA_COMMENTS: "" GLPI_DOCUMENTATION_ROOT_URL: "https://links.glpi-project.org" GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1" GLPI_LOG_LVL: "warning" GLPI_SKIP_UPDATES: false GLPI_STRICT_ENV: false GLPI_AJAX_DASHBOARD: "1" GLPI_CALDAV_IMPORT_STATE: 0 GLPI_CENTRAL_WARNINGS: "1" GLPI_TEXT_MAXSIZE: "4000" GLPI_WEBHOOK_ALLOW_RESPONSE_SAVING: "0" GLPI_DOC_DIR: "/var/lib/glpi11/files" GLPI_CACHE_DIR: "/var/lib/glpi11/files/_cache" GLPI_CRON_DIR: "/var/lib/glpi11/files/_cron" GLPI_GRAPH_DIR: "/var/lib/glpi11/files/_graphs" GLPI_LOCAL_I18N_DIR: "/var/lib/glpi11/files/_locales" GLPI_LOCK_DIR: "/var/lib/glpi11/files/_lock" GLPI_PICTURE_DIR: "/var/lib/glpi11/files/_pictures" GLPI_PLUGIN_DOC_DIR: "/var/lib/glpi11/files/_plugins" GLPI_RSS_DIR: "/var/lib/glpi11/files/_rss" GLPI_SESSION_DIR: "/var/lib/glpi11/files/_sessions" GLPI_TMP_DIR: "/var/lib/glpi11/files/_tmp" GLPI_UPLOAD_DIR: "/var/lib/glpi11/files/_uploads" GLPI_INVENTORY_DIR: "/var/lib/glpi11/files/_inventories" GLPI_THEMES_DIR: "/var/lib/glpi11/files/_themes" GLPI_PLUGINS_DIRECTORIES: ["/usr/share/glpi11/marketplace","/usr/share/glpi11/plugins"] GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/" GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
Anything else?
Not a fresh install (upgraded from a glpi 10 > glpi11-beta3 > glpi11-beta4). Also tested in beta 1 and 3 and it still gives the same error. Legacy API disabled.
Did the OAuth key files get generated during the update? Should be an "oauth.pem" and "oauth.pub" in GLPI's config directory. Both files need to be readable by the web server.
@cconard96 Unfortunately there's no files "oauth.pem / oauth.pub" in the GLPI config directory. Also no logs about oauth in migration logs
Are you looking in your custom defined config location "/etc/glpi11"?
Yes @cconard96, but there's no oauth files
Don't know if this will help but when I do a fresh install of the GLPI 11 beta (any of them) oauth.pem + oauth.pub is created, but when I update from an early version (10 to 11 or 11 beta x to 11 beta y) oauth.pem and oauth.pub is not created.
Don't know if this will help but when I do a fresh install of the GLPI 11 beta (any of them) oauth.pem + oauth.pub is created, but when I update from an early version (10 to 11 or 11 beta x to 11 beta y) oauth.pem and oauth.pub is not created.
I made some tests using the automatic install and update tests and cannot recreate that issue. For new installs and updates the keys are always generated.
I did not reproduce while testing on local instances. This may be due to a FS rights issue; see #19879. This should be fixed (or an explicit error message displayed) with beta6.
I have the same issue, no keys get generated on windows, despite user having RW on all the subdirectories, I don't find anything related to this in the documentation and no command to regenerate the keys either, how can I try to regenerate those to debug the issue?
In my migration from 10 to 11 those file also didnt got created.
I also ask if there's anyway to recreate them
Now that we have the instance in production reinstall is not an option :-)
Thanks
I reviewed the code and I am pretty sure that when these files are not generated, an exception is thrown and probably an error message is shown during the update. Could you check your php-errors.log file to see if you have the trace of the error?
Also, we should provide a way to regenerate the OAuth server key files, in case they are lost, but also to be able to regenerate new keys if the existing ones are compromised.
