FlowclientConnectionError: User claims verification failed

[nkan-qb]

Description
Getting FlowclientConnectionError although I have followed the setup instructions and generated a token.

Where the error occurs
When trying to run the worked example at run_query:

fc.run_query(
        connection=conn,
        query_spec=fc.aggregates.spatial_aggregate_spec(
            locations=query_spec
        ),  # Wrap the query spec in a spatial aggregate query, so that we are allowed to get the result
    )
    for period, query_spec in home_locations_specs.items()

the error is produced. It is a {401 or 403} error.

Version
flowclient 1.17.1

Steps
I have run the docker environments and logged into FlowAuth. It also allowed me to generate my token, which works when doing other flowclient functions (e.g. fc.connect and fc.get_available_dates). But I get the FlowclientConnectionError for fc.run_query

Error message

---------------------------------------------------------------------------
FlowclientConnectionError                 Traceback (most recent call last)
Input In [51], in <cell line: 3>()
      1 # Run spatial aggregates of the home locations queries
----> 3 home_locations_ids = {
      4     period: fc.run_query(
      5         connection=conn,
      6         query_spec=fc.aggregates.spatial_aggregate_spec(
      7             locations=query_spec
      8         ),  # Wrap the query spec in a spatial aggregate query, so that we are allowed to get the result
      9     )
     10     for period, query_spec in home_locations_specs.items()  # Loop over the three query specifications and run them all
     11 }
     13 home_locations_ids

Input In [51], in <dictcomp>(.0)
      1 # Run spatial aggregates of the home locations queries
      3 home_locations_ids = {
----> 4     period: fc.run_query(
      5         connection=conn,
      6         query_spec=fc.aggregates.spatial_aggregate_spec(
      7             locations=query_spec
      8         ),  # Wrap the query spec in a spatial aggregate query, so that we are allowed to get the result
      9     )
     10     for period, query_spec in home_locations_specs.items()  # Loop over the three query specifications and run them all
     11 }
     13 home_locations_ids

File /opt/conda/lib/python3.10/site-packages/flowclient/client.py:523, in run_query(connection, query_spec)
    505 """
    506 Run a query of a specified kind with parameters and get the identifier for it.
    507 
   (...)
    518     Identifier of the query
    519 """
    520 logger.info(
    521     f"Requesting run of {query_spec} at {connection.url}/api/{connection.api_version}"
    522 )
--> 523 r = connection.post_json(route="run", data=query_spec)
    524 if r.status_code == 202:
    525     query_id = r.headers["Location"].split("/").pop()

File /opt/conda/lib/python3.10/site-packages/flowclient/connection.py:192, in Connection.post_json(self, route, data)
    190     except ValueError:
    191         error_msg = "Unknown access denied error"
--> 192     raise FlowclientConnectionError(error_msg)
    193 else:
    194     print("******************")

FlowclientConnectionError: User claims verification failed

[Thingus]

Hi Nkan
Can you tell us more about the version of FlowAuth you're using? We recently updated the token format inside both Flowmachine and FlowAuth.

[nkan-qb]

Hi, I did a git clone FlowKit from the Flowminder repository, so FlowAuth is from here as well.

[Thingus]

OK - can you paste the token into https://jwt.io and share the claims section?

[nkan-qb]

I pasted the token but it says "invalid signature".

[Thingus]

In that case, can you post a screenshot of the page that generates the token? Something like this one?

[anhdangqb]

I have the same issue as above, @Thingus.

Version

• flowclient.__version__ = '1.17.1+931.ga6a18230f'
• Check the Docker: flowauth is of version 1.17.1+931.ga6a18230f
• Python: 3.8

Token

• Token paste into https://jwt.io
  

The page that generates the token

Step-by-step (to reproduce the bug)

1. From the blank even python 3.8
2. bash <(curl -s https://raw.githubusercontent.com/Flowminder/FlowKit/master/quick_start.sh) examples smaller_data
3. Generate FlowAPI access tokens using FlowAuth with user TEST_USER and password DUMMY_PASSWORD at http://localhost:9091/ (generate the account with roles of view and run)
4. Interactive worked examples at http://localhost:8888/ (run the cell-towers-per-region.ipynb)

[Thingus]

Ah, the quickstart is out of date - in the first instance, please try editing the runner role to also have the admin3 scope checked - if you login as TEST_ADMIN the interface to edit roles should become available. If admin3 is not availalbe, I'm writing up a longer procedure right now.

[Thingus]

There's a few extra steps that now need to happen with the new permissions system, which is populating the flowkit instance with scopes from your flowmachine and creating a role to access the example cell-towers-per-region query. I'll close this issue once this is incorporated into the quickstart but in the meantime please try the following procedure;

• open http://localhost:9090/api/0/spec/openapi.json and save
• Log into Flowauth as TEST_ADMIN (should be same pass)
• Servers -> edit TEST_SERVER
• Upload API spec and then select the openapi.json you saved earlier
• Save
• Roles -> create new role
• Give the role a name, some users (I'd recommend both TEST_ADMIN and TEST_USER for the quickstart) and the get_available_dates,run, get_result and admin3 scopes.
• TEST_SERVER (under my servers on the left hand side) and click the + (for a new token)
• Give the token your new role, save
  Then (finally!) drop that token into the worked example.

[Thingus]

Alternatively, you can try cloning a clean install from the 1.17.1 release point and running quick_start.sh - that should still work. I should get the quickstart sorted in the next couple of days, so that should be in place if you're happy to wait.

[anhdangqb]

It works for me, thank @Thingus very very much
I put here for anyone with similar issue:

1. Go to localhost:9091 > Admin Mode (TEST_ADMIN, DUMMY_PASSWORD)
2. Edit the roles/runner (rather than create new role) > I tick all the boxes there
3. Back to localhost:9091 > TEST_USER mode > Create new token with roles of runner + viewer
4. Paste the token to the notebook

[nkan-qb]

@Thingus @anhdangqb It works for me now too thanks a lot!!