Missing Authorization errors in Optimize

Hi Camunda Team,
I am using Optimize version 3.7.2 and I have successfuly configured it with ElasticSearch and Camunda Engine using docker images.
Yesterday I saw a strange behavior in Optimize,
I was able to login to Optimize, I could see the dashboard I had created but when I opened the dashboard all the panels were showing message as “Missing Authorization” and there were no exceptions or errors in logs.
What I could see in Debug logs was as below but no errors or stacktrace

DEBUG o.c.o.r.s.AuthenticationCookieFilter - Authenticating null
DEBUG o.c.o.r.s.AuthenticationCookieFilter - No pre-authenticated principal found in request

When I restarted Optimize it started working fine.
I could not figure out the root cause of this issue but I think Optimize was somehow not able to connect to ElasticSearch. Strangely though, at the bottom of Optimize UI it was showing connection to ElasticSearch and Engine as green.
My initial hunch is, there might be some bug in Optimize where it is not able to renew Authentication/Authorization session with ElasticSearch.

@Helene FYI.

Hi @hrishi_joshi ,
When logging into Optimize you get an X-Optimize-Authorization cookie, it looks like this cookie was not provided when you were evaluating the reports on the dashboard. This could be because it had already expired at this point. Normally in this scenario, you should be redirected to the login page - why this didn’t happen here I can’t tell from those logs alone and I also failed to recreate the issue myself.
If it ever happens again feel free to create a support ticket so we can look into it further.

So, we tried to logout and login again but it did not solve the issue.
I was again going through the logs and found some related logs

12:55:37.664 [qtp334593716-21] DEBUG o.c.o.r.s.SingleSignOnRequestFilter - Received new request.

12:55:37.667 [qtp334593716-21] DEBUG o.c.o.r.s.AuthenticationCookieFilter - Authenticating null

12:55:37.763 [qtp334593716-21] ERROR o.c.o.s.security.SessionService - Error while validating authentication token [eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6Ik9wdGltaXplLTMuNy4yIiwiaWF0IjoxNjU0NTE3NzEyLCJqdGkiOiIyN2M5NjgzNC0zNDFkLTQxYzEtOGU2NS1jZjdiOWRiNzdmZjkifQ.i5BbWE0siPPKb3xkXfe396aApJ2l0tL4TY1_ReQTsu4]. Invalid signature or claims!

com.auth0.jwt.exceptions.SignatureVerificationException: The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA256

	at com.auth0.jwt.algorithms.HMACAlgorithm.verify(HMACAlgorithm.java:55)

	at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:299)

	at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:283)

	at org.camunda.optimize.service.security.SessionService.isValidAuthToken(SessionService.java:93)

	at java.base/java.util.Optional.map(Optional.java:265)

	at org.camunda.optimize.service.security.SessionService.isValidToken(SessionService.java:81)

	at java.base/java.util.Optional.filter(Optional.java:223)

	at org.camunda.optimize.rest.security.AuthenticationCookieFilter.getPreAuthenticatedPrincipal(AuthenticationCookieFilter.java:33)

	at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:181)

	at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:134)

	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)

	at org.camunda.optimize.rest.security.SingleSignOnRequestFilter.doFilter(SingleSignOnRequestFilter.java:58)

	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)

	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103)

	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89)

	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)

	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)

	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)

	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)

	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)

	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)

	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)

	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)

	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)

	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211)

	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183)

	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)

	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)

	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

	at org.camunda.optimize.jetty.NoCachingFilter.doFilter(NoCachingFilter.java:46)

	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

	at org.camunda.optimize.jetty.LicenseFilter.doFilter(LicenseFilter.java:73)

	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)

	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

	at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:763)

	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)

	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)

	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)

	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)

	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)

	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)

	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)

	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)

	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)

	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

	at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)

	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)

	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

	at org.eclipse.jetty.server.Server.handle(Server.java:516)

	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:400)

	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645)

	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392)

	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)

	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)

	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)

	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)

	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)

	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)

	at java.base/java.lang.Thread.run(Thread.java:829)

12:55:37.764 [qtp334593716-21] DEBUG o.c.o.r.s.AuthenticationCookieFilter - No pre-authenticated principal found in request

These logs occurred at some point but they were not logged again when we were trying to access the Optimize dashboard and seeing “Missing Authorizations” error.
Hope these logs might help you find the root cause, there could be a potential bug.
I will report if I encounter this error again.

Kind regards,
Hrishi

Hi @hrishi_joshi ,
just to clarify, in the first post you mentioned

Does it work now? Or is this an ongoing issue for you that keeps you from using Optimize?

Hi @Helene ,
We faced same issue again and it starts working after restart. I think something is wrong in the way authentication is handled. How do you suggest we proceed further.

Thanks,
Hrishi

Hi @hrishi_joshi,
in that case I’d suggest you open a ticket for the issue you’re experiencing, that way we can offer more hands on support and debug the issue together.

Whats the process to open a ticket?

You can find a guide here (I am assuming you have a license for the Enterprise edition?)

Hi @Helene ,
We have a Camunda partner account and evaluating Optimize for a potential client case. I had registered on Camunda JIRA earlier and somehow not able to login, might have lost my password. Surprisingly I am not getting any password reset email to my registered email.
Would you be able to help me here please.

Thanks,
Hrishi

Hi @hrishi_joshi, I will DM you for some further details.

I am also facing a related issue for Optimize version : 3.8.2 (Tried with several versions). My connection with engine and elastic search is successful, But facing below error while loading Optimize in Browser :

10:01:06.973 [qtp1692375649-17] DEBUG o.c.o.r.s.SingleSignOnRequestFilter - Received new request.
10:01:06.973 [qtp1692375649-17] DEBUG o.c.o.r.s.AuthenticationCookieFilter - Authenticating null
10:01:06.973 [qtp1692375649-17] DEBUG o.c.o.r.s.AuthenticationCookieFilter - No pre-authenticated principal found in request

Hello @ankita_singh! At the moment we are really sure from the details given what the problem is as we dont have enough information to look into this further. Please feel free to open a support ticket in case you need to further solve this issue.