Forum Discussion

caulfiedd_spurr's avatar
caulfiedd_spurr
Icon for Cirrus rankCirrus
Apr 29, 2020

question of limitation and expiration for rest api token

now I cannot login ltm via rest api , i thought the number of token of my account has reach the maximum .here is an error login myhost fail b'{"code":401,"message":"remoteSender:http://localhost:81...
devops
iControlLX
iControlREST
token
  • Satoshi_Toyosa1's avatar
    Satoshi_Toyosa1
    Apr 30, 2020

    It is not obvious from the error message you provided, however, a usual error message you get from authorization error (e.g., incorrect password) is "message": "Authentication failed." The issue may be a bit deeper than you may think. Try restarting the iControl REST framework daemon by running 'tmsh restart sys service restjavad'. If the issue still persists, I recommend you to file a service ticket to F5 support.

Satoshi_Toyosa1's avatar
Satoshi_Toyosa1
Ret. Employee

1) The maximum number of tokens per user is set to 100 since BIG-IP 13.1. The response JSON body to a token request indicates: "user foo has reached maximum active login tokens" (seems like the response body you pasted does not contain this message, so you may be hitting some other issues).

2) To find the active tokens on the box, call a GET request to /mgmt/shared/authz/tokens. Use admin user.

3) The lifespan of token is 1200s (20 min) by default. You can change it by PATCHING the timeout property of the token: e.g. To change the lifetime of the token "AEDEM4TRWHGBET2TWOHM6ZBJKD" to 4200s;

curl -sk https://$HOST/mgmt/shared/authz/tokens/AEDEM4TRWHGBET2TWOHM6ZBJKD \
  -X PATCH -H "Content-type: application/json" \
  -H "X-F5-Auth-Token: AEDEM4TRWHGBET2TWOHM6ZBJKD" \
  -d '{"timeout" : 4200}'

Note that the Authentication token is designed to be reused. If you are creating a token for each individual task, you may need to consolidate the tasks into one session and request just one token at the beginning of the session. If that's too tedious, you may want to make the timeout shorter.

4) You can delete the token by sending a DELETE method: e.g.,

curl -sku $PASS https://$HOST/mgmt/shared/authz/tokens/2PBX7ROP6H4GE6TQN4CUJVJYZG -X DELETE

Cheers

StephanManthey's avatar
StephanManthey
Icon for MVP rankMVP
Apr 30, 2020

Hi Satoshi San,

thanks for the answer and details. If I remember right I tested the ability to extend the tokens lifetime in the past and it didnt work as expected. I will check it again and reply in this thread.

I will add the deletion of the token to my Ansible tasks in case a token is about to expire.

(Especially in a device onboarding workflow a time of 20 minutes can be exceeded easily. That´s why I re-run the tasks above at critical points.)

As I´m re-using the token continuosly, there is little to no risk to exceed the per device limit. But for a clean deployment it makes sense to delete tokens in advance.

Thanks again & kind regards, Stephan