opencloud
opencloud copied to clipboard
Published
3 weeks ago
•
opencloud-eu
opencloud-eu
Using auth-basic, log files are spammed with 'core access token not set'
Describe the bug
I am testing an implementation of opencloud using the built in auth-basic provider, and my log files are filled with the error message 'core access token not set'.
Steps to reproduce
- Set up container environment variables
- Start container
- Use opencloud
- Review logs and find repeating error message
Expected behavior
I have reviewed the Auth-Basic and configured my instance appropriately (I think!) so I would not expect this message to appear.
Actual behavior
Here's my log file showing the occurrence over time:
opencloud |
opencloud | =========================================
opencloud | generated OpenCloud Config
opencloud | =========================================
opencloud | configpath : /etc/opencloud/opencloud.yaml
opencloud | user : admin
opencloud | password : [redacted]
opencloud |
opencloud | {"level":"warn","service":"storage-system","host.name":"opencloud","pkg":"rhttp","time":"2025-09-30T15:45:08Z","message":"missing or incomplete nats configuration. Events will not be published."}
opencloud | {"level":"warn","service":"ocm","host.name":"opencloud","pkg":"rhttp","time":"2025-09-30T15:45:08Z","message":"missing or incomplete nats configuration. Events will not be published."}
opencloud | {"level":"warn","service":"proxy","time":"2025-09-30T15:45:08Z","message":"basic auth enabled, use only for testing or development"}
opencloud | {"level":"warn","service":"ocm","host.name":"opencloud","pkg":"rhttp","traceid":"922d5c28f1fe58e449f34c46e5107bdb","time":"2025-09-30T15:45:08Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"ocm","host.name":"opencloud","pkg":"rhttp","traceid":"922d5c28f1fe58e449f34c46e5107bdb","host":"127.0.0.1","method":"GET","uri":"/","url":"/","proto":"HTTP/1.1","status":404,"size":19,"start":"30/Sep/2025:15:45:08 +0000","end":"30/Sep/2025:15:45:08 +0000","time_ns":957908,"time":"2025-09-30T15:45:08Z","message":"http"}
opencloud | {"level":"warn","service":"ocm","host.name":"opencloud","pkg":"rhttp","traceid":"ba3cbac4eee9a49e869350482003c31d","time":"2025-09-30T15:45:08Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"ocm","host.name":"opencloud","pkg":"rhttp","traceid":"ba3cbac4eee9a49e869350482003c31d","host":"127.0.0.1","method":"GET","uri":"/","url":"/","proto":"HTTP/1.1","status":404,"size":19,"start":"30/Sep/2025:15:45:08 +0000","end":"30/Sep/2025:15:45:08 +0000","time_ns":353565,"time":"2025-09-30T15:45:08Z","message":"http"}
opencloud | {"level":"warn","service":"idp","kid":"private-key","path":"/var/lib/opencloud/idp/private-key.pem","time":"2025-09-30T15:45:09Z","message":"skipped as signer with same kid already loaded"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"006ac7f996ac75743e303e591b782c1b","time":"2025-09-30T15:45:09Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"006ac7f996ac75743e303e591b782c1b","host":"127.0.0.1","method":"GET","uri":"/","url":"/","proto":"HTTP/1.1","status":401,"size":0,"start":"30/Sep/2025:15:45:09 +0000","end":"30/Sep/2025:15:45:09 +0000","time_ns":26863,"time":"2025-09-30T15:45:09Z","message":"http"}
opencloud | {"level":"warn","service":"graph","LDAP CACert":"/var/lib/opencloud/idm/ldap.crt","time":"2025-09-30T15:45:10Z","message":"CA cert file is not ready yet. Waiting 2 seconds for it to appear."}
opencloud | {"level":"warn","service":"users","LDAP CACert":"/var/lib/opencloud/idm/ldap.crt","time":"2025-09-30T15:45:10Z","message":"CA cert file is not ready yet. Waiting 2 seconds for it to appear."}
opencloud | {"level":"warn","service":"auth-basic","LDAP CACert":"/var/lib/opencloud/idm/ldap.crt","time":"2025-09-30T15:45:10Z","message":"CA cert file is not ready yet. Waiting 2 seconds for it to appear."}
opencloud | {"level":"warn","service":"groups","LDAP CACert":"/var/lib/opencloud/idm/ldap.crt","time":"2025-09-30T15:45:10Z","message":"CA cert file is not ready yet. Waiting 2 seconds for it to appear."}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"ce6ac2cddccd958c7b3f8a3fab208dde","time":"2025-09-30T15:45:31Z","message":"core access token not set"}
opencloud | {"level":"error","service":"proxy","error":"failed to verify access token: token signature is invalid: crypto/rsa: verification error","authenticator":"oidc","path":"/ocs/v1.php/cloud/capabilities","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0","client.address":"165.225.210.232","network.peer.address":"","network.peer.port":"","time":"2025-09-30T15:45:31Z","message":"failed to authenticate the request"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"525a2a43bb26d478b01de2de10970328","time":"2025-09-30T15:45:31Z","message":"core access token not set"}
opencloud | {"level":"error","service":"proxy","error":"failed to verify access token: token signature is invalid: crypto/rsa: verification error","authenticator":"oidc","path":"/api/v0/settings/roles-list","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0","client.address":"165.225.210.232","network.peer.address":"","network.peer.port":"","time":"2025-09-30T15:45:31Z","message":"failed to authenticate the request"}
opencloud | {"level":"error","service":"proxy","error":"failed to verify access token: token signature is invalid: crypto/rsa: verification error","authenticator":"oidc","path":"/graph/v1.0/me","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0","client.address":"165.225.210.232","network.peer.address":"","network.peer.port":"","time":"2025-09-30T15:45:31Z","message":"failed to authenticate the request"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"b168dbf8677a0a14cc0f89b639fc8ff7","time":"2025-09-30T15:45:36Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"9ab87fb65037e5049d6e29e34ea5da16","time":"2025-09-30T15:45:42Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"storage-system","host.name":"opencloud","pkg":"rhttp","traceid":"51b7ce0c52192e6c2b8f80ae4be63aae","host":"127.0.0.1","method":"GET","uri":"/data/spaces/f2bdd61a-da7c-49fc-8203-0558109d1b4f%21f2bdd61a-da7c-49fc-8203-0558109d1b4f/f6d01bbe-b35a-487a-83c3-945216d5ba18","url":"/f6d01bbe-b35a-487a-83c3-945216d5ba18","proto":"HTTP/1.1","status":404,"size":0,"start":"30/Sep/2025:15:45:43 +0000","end":"30/Sep/2025:15:45:43 +0000","time_ns":609444,"time":"2025-09-30T15:45:43Z","message":"http"}
opencloud | {"level":"warn","service":"storage-system","host.name":"opencloud","pkg":"rhttp","traceid":"65cb476ced347618240f1001e63f750e","host":"127.0.0.1","method":"GET","uri":"/data/spaces/f2bdd61a-da7c-49fc-8203-0558109d1b4f%21f2bdd61a-da7c-49fc-8203-0558109d1b4f/b7a54244-0ffa-4418-b5a1-89694c8a4bba","url":"/b7a54244-0ffa-4418-b5a1-89694c8a4bba","proto":"HTTP/1.1","status":404,"size":0,"start":"30/Sep/2025:15:46:42 +0000","end":"30/Sep/2025:15:46:42 +0000","time_ns":523194,"time":"2025-09-30T15:46:42Z","message":"http"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"c3b9cc81fc92a11d12a8ff4e104087b4","time":"2025-09-30T15:46:45Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"2673e7ca2a2ea152b4b00121a61d5f12","time":"2025-09-30T15:46:52Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"storage-system","host.name":"opencloud","pkg":"rhttp","traceid":"76fc27028cb9a01e32711d264dd0bb6e","host":"127.0.0.1","method":"GET","uri":"/data/spaces/f2bdd61a-da7c-49fc-8203-0558109d1b4f%21f2bdd61a-da7c-49fc-8203-0558109d1b4f/b7a54244-0ffa-4418-b5a1-89694c8a4bba","url":"/b7a54244-0ffa-4418-b5a1-89694c8a4bba","proto":"HTTP/1.1","status":404,"size":0,"start":"30/Sep/2025:15:46:53 +0000","end":"30/Sep/2025:15:46:53 +0000","time_ns":373242,"time":"2025-09-30T15:46:53Z","message":"http"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"9bf920c9e84b42b9f01e920fec65f9f9","time":"2025-09-30T15:47:14Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"storage-users","host.name":"opencloud","pkg":"rhttp","traceid":"9b7f8e12b8c66ffc1445d49e91ce43a7","time":"2025-09-30T15:47:14Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"07964eb03a0dcac50440ca38fbe6d448","time":"2025-09-30T15:47:15Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"storage-users","host.name":"opencloud","pkg":"rhttp","traceid":"298e308d2324d8f9c2103590fd86f154","time":"2025-09-30T15:47:15Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"29abac360389bc818bebaaa9a85982f7","time":"2025-09-30T15:47:15Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"storage-users","host.name":"opencloud","pkg":"rhttp","traceid":"b1e7484a730dff60cf808c17fb4b0db6","time":"2025-09-30T15:47:15Z","message":"core access token not set"}
[many entries removed]
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"4162967fc105a3ac54299e870e3a0a01","time":"2025-09-30T16:18:21Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"storage-users","host.name":"opencloud","pkg":"rhttp","traceid":"fa0dd44cce8c4566c88350a03917cba6","time":"2025-09-30T16:18:21Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"af849873a34ed391d0675e6d946b99b3","time":"2025-09-30T16:18:23Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"storage-users","host.name":"opencloud","pkg":"rhttp","traceid":"5f383dc562917b951ef4dd66ea33bc9c","time":"2025-09-30T16:18:23Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"frontend","host.name":"opencloud","pkg":"rhttp","traceid":"6b62149cd0e79b8e7fbbad89c3dd2c74","time":"2025-09-30T16:18:26Z","message":"core access token not set"}
opencloud | {"level":"warn","service":"storage-users","host.name":"opencloud","pkg":"rhttp","traceid":"3bb2aa4a1a51c952bd0036a98156acb2","time":"2025-09-30T16:18:26Z","message":"core access token not set"}
Setup
Here are my environment variables:
# Container specifics
## global
IDM_CREATE_DEMO_USERS=false # Flag to enable or disable the creation of the demo users
OC_DISABLE_VERSIONING=true # When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version
OC_INSECURE=true # Whether to verify the server TLS certificates
OC_LOG_COLOR=false # Activates colorized log output
OC_LOG_LEVEL=warn # Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'
OC_LOG_PRETTY=false # Activates pretty log output
OC_PERSISTENT_STORE=nats-js-kv # The type of the store
OC_PERSISTENT_STORE_NODES=localhost:9233 # A list of nodes to access the configured store
OC_URL=https://opencloud.example.com # Base url to navigate back from the app to the containing folder in the file list
## nats
NATS_NATS_HOST=0.0.0.0 # Bind address
NATS_NATS_PORT=9233 # Bind port
## proxy
PROXY_HTTP_ADDR=0.0.0.0:9200 # The bind address of the HTTP service
PROXY_TLS=false # Enable/Disable HTTPS for external HTTP services
PROXY_ENABLE_BASIC_AUTH=true # Set this to true to enable 'basic authentication' (username/password)
## storage-users
STORAGE_USERS_DRIVER=posix # The storage driver which should be used by the service
STORAGE_USERS_POSIX_PROPAGATOR=sync # The propagator used for the posix driver
STORAGE_USERS_POSIX_PERSONAL_SPACE_ALIAS_TEMPLATE={{.SpaceType}}/{{.User.Username | lower}}
STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE=users/{{.User.Username | lower}}
STORAGE_USERS_POSIX_GENERAL_SPACE_ALIAS_TEMPLATE={{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}
STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE=projects/{{.SpaceName | replace " " "-" | lower}}
STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY=4s # The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected
STORAGE_USERS_POSIX_USE_SPACE_GROUPS=false # Use space groups to manage permissions on spaces
STORAGE_USERS_POSIX_WATCH_FS=false # Enable the filesystem watcher to detect changes to the filesystem
STORAGE_USERS_POSIX_WATCH_TYPE=inotifywait # Type of the watcher to use for getting notified about changes to the filesystem
## Very specific
MICRO_REGISTRY_ADDRESS=localhost:9233
Is there a setting I am missing to stop opencloud from checking for a core token? Is there a command to create a core token that will fix the issue?
Additional context
I am running traefik on a different server which points to this instance using opencloud.example.com and a wildcard certificate for *.example.com.
I think the log message is a false positive.
I think we fixed parts of that. @rhafer new issue?
@instantdreams basic auth is for development only. If you nee basic auth like flows in prod, use the app tokens.
I'm comparing opencloud to ocis before I move to production, and it's hard when the logs are so full.
ocis has no app tokens, a really helpful feature.
See https://docs.opencloud.eu/docs/user/admin/app-tokens
I used the App Tokens documentation to create an app token for my admin and personal user accounts and tested them by logging in as both accounts and adding a file or two. The logs still show core access token not set for services frontend and storage-system.
How do I apply a core access token to these two services using environment variables or updating the opencloud.yaml file?
@instantdreams The core access token is an internal thing. For you this is just „log spamming“. We need to check.
I think we fixed parts of that. @rhafer new issue?
Did we? I don't think we touched anything in the area recently. The message itself is coming from the http auth middleware in reva. And I tend to agree, it's spam and not even useful for debugging IMO. The http auth middleware in reva would benefit from a cleanup anyway. It supports quite some things we don't need anymore because they are already handled in the proxy.
This log entry also get's spammed if you authenticate through OIDC.
