API Xibo CMS 3.1.0 - Access token has been revoked

Since updating to 3.1.0 I have an issue connecting the API.
Via Postman I can get the token, but any other API request results in:

{ 
    "error": "access_denied", 
    "error_description": "The resource owner or authorization server denied the request.", 
    "hint": "Access token has been revoked",
    "message": "The resource owner or authorization server denied the request."
}

I have also created a new Xibo CMS server on a fresh ubuntu server, and I have the same issue there.

Hey there,

Could you confirm for us if this is docker or manual installation?
Do you see any other errors in CMS logs page when you make API requests?
(you can enable debugging/test mode to get more logs as well).

My guess would be that it’s an issue with cache, perhaps CMS cannot write to it correctly - without any special configuration and on manual installation, CMS will use fileSystem cache (which should be in your CMS library folder/cache/)

In 3.1 we cache certain information about accessToken/requesting client, which is then checked before any other API request goes through - ie if it’s not cached correctly, then check will fail and mark the token as revoked, which would explain your experience.

Both installations are Docker installations.

Log shows:

65	f8025cb	2022-03-29 16:43	API	GET	ERROR		/api/layout	The resource owner or authorization server denied the request.
66	f8025cb	2022-03-29 16:43	API	GET	DEBUG		/api/layout	
#0 /var/www/cms/vendor/league/oauth2-server/src/AuthorizationValidators/BearerTokenValidator.php(118): League\OAuth2\Server\Exception\OAuthServerException::accessDenied() 
#1 /var/www/cms/vendor/league/oauth2-server/src/ResourceServer.php(84): League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator->validateAuthorization() 
#2 /var/www/cms/lib/Middleware/ApiAuthorization.php(88): League\OAuth2\Server\ResourceServer->validateAuthenticatedRequest() 
#3 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\ApiAuthorization->process()

When I check that folder, these are the permissions:

15991120       4 drwxr-x---   4 systemd-network systemd-journal       4096 Jun 28  2021 cache

@Peter Any update after my answer?

Please can you post your docker-compose.yml file?

And also the output of:

docker-compose exec cms-web sh -c "ls -al /var/www/cms/library/cache"

@Peter is there any other logging which would be useful here? I presume it must be a complete cache miss, but that does seem strange.

docker-compose.yml

version: "2.1"

services:
    cms-db:
        image: mysql:5.7
        command: --wait-timeout=600
        volumes:
            - "./shared/db:/var/lib/mysql:Z"
        environment:
            - MYSQL_DATABASE=cms
            - MYSQL_USER=cms
            - MYSQL_RANDOM_ROOT_PASSWORD=yes
        mem_limit: 1g
        env_file: config.env
        restart: always
    cms-xmr:
        image: xibosignage/xibo-xmr:0.9
        ports:
            - "9505:9505"
        restart: always
        mem_limit: 256m
        env_file: config.env
    cms-web:
        image: xibosignage/xibo-cms:release-3.1.0
        volumes:
            - "./shared/cms/custom:/var/www/cms/custom:Z"
            - "./shared/backup:/var/www/backup:Z"
            - "./shared/cms/web/theme/custom:/var/www/cms/web/theme/custom:Z"
            - "./shared/cms/library:/var/www/cms/library:Z"
            - "./shared/cms/web/userscripts:/var/www/cms/web/userscripts:Z"
            - "./shared/cms/ca-certs:/var/www/cms/ca-certs:Z"
        restart: always
        links:
            - cms-db:mysql
            - cms-xmr:50001
        environment:
            - XMR_HOST=cms-xmr
            - CMS_USE_MEMCACHED=true
            - MEMCACHED_HOST=cms-memcached
        env_file: config.env
        ports:
            - "80:80"
        mem_limit: 1g
    cms-memcached:
        image: memcached:alpine
        command: memcached -m 15
        restart: always
        mem_limit: 100M
    cms-quickchart:
      image: ianw/quickchart
      restart: always

Output

docker-compose exec cms-web sh -c "ls -al /var/www/cms/library/cache"
/opt/xibo$ docker-compose exec cms-web sh -c "ls -al /var/www/cms/library/cache"
total 8
drwxr-xr-x    2 apache   apache        4096 Mar 23 08:19 .
drwxr-xr-x    9 apache   apache        4096 Apr  1 11:15 ..

Shouldn’t there be a file or folder in there?

Hi, i am having the same problem. Xibo 3.0.1 is installed with Docker and my outputs is the same as Randall_Kam’s output.

logId,runNo,logDate,channel,page,function,message,display.display,type		
1008,5c72880,"2022-04-07 21:14:50",API,/api/,GET,"The resource owner or authorization server denied the request.",,ERROR		
1009,5c72880,"2022-04-07 21:14:50",API,/api/,GET,"#0 /var/www/cms/vendor/league/oauth2-server/src/AuthorizationValidators/BearerTokenValidator.php(93): League\OAuth2\Server\Exception\OAuthServerException::accessDenied()		
#1 /var/www/cms/vendor/league/oauth2-server/src/ResourceServer.php(84): League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator-&gt	validateAuthorization()	
#2 /var/www/cms/lib/Middleware/ApiAuthorization.php(88): League\OAuth2\Server\ResourceServer-&gt	validateAuthenticatedRequest()	
#3 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\ApiAuthorization-&gt	process()	
#4 /var/www/cms/lib/Middleware/State.php(88): class@anonymous-&gt	handle()	
#5 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\State-&gt	process()	
#6 /var/www/cms/lib/Middleware/Log.php(59): class@anonymous-&gt	handle()	
#7 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\Log-&gt	process()	
#8 /var/www/cms/lib/Middleware/Storage.php(61): class@anonymous-&gt	handle()	
#9 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\Storage-&gt	process()	
#10 /var/www/cms/lib/Middleware/Xmr.php(67): class@anonymous-&gt	handle()	
#11 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\Xmr-&gt	process()	
#12 /var/www/cms/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php(59): class@anonymous-&gt	handle()	
#13 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Slim\Middleware\RoutingMiddleware-&gt	process()	
#14 /var/www/cms/lib/Middleware/TrailingSlashMiddleware.php(68): class@anonymous-&gt	handle()	
#15 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\TrailingSlashMiddleware-&gt	process()	
#16 /var/www/cms/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(107): class@anonymous-&gt	handle()	
#17 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Slim\Middleware\ErrorMiddleware-&gt	process()	
#18 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(81): class@anonymous-&gt	handle()	
#19 /var/www/cms/vendor/slim/slim/Slim/App.php(215): Slim\MiddlewareDispatcher-&gt	handle()	
#20 /var/www/cms/vendor/slim/slim/Slim/App.php(199): Slim\App-&gt	handle()	
#21 /var/www/cms/web/api/index.php(91): Slim\App-&gt	run()	
#22 {main}",,DEBUG		
1011,2c24edc,"2022-04-07 21:14:52",API,/api/,GET,"The resource owner or authorization server denied the request.",,ERROR		
1012,2c24edc,"2022-04-07 21:14:52",API,/api/,GET,"#0 /var/www/cms/vendor/league/oauth2-server/src/AuthorizationValidators/BearerTokenValidator.php(93): League\OAuth2\Server\Exception\OAuthServerException::accessDenied()		
#1 /var/www/cms/vendor/league/oauth2-server/src/ResourceServer.php(84): League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator-&gt	validateAuthorization()	
#2 /var/www/cms/lib/Middleware/ApiAuthorization.php(88): League\OAuth2\Server\ResourceServer-&gt	validateAuthenticatedRequest()	
#3 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\ApiAuthorization-&gt	process()	
#4 /var/www/cms/lib/Middleware/State.php(88): class@anonymous-&gt	handle()	
#5 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\State-&gt	process()	
#6 /var/www/cms/lib/Middleware/Log.php(59): class@anonymous-&gt	handle()	
#7 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\Log-&gt	process()	
#8 /var/www/cms/lib/Middleware/Storage.php(61): class@anonymous-&gt	handle()	
#9 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\Storage-&gt	process()	
#10 /var/www/cms/lib/Middleware/Xmr.php(67): class@anonymous-&gt	handle()	
#11 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\Xmr-&gt	process()	
#12 /var/www/cms/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php(59): class@anonymous-&gt	handle()	
#13 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Slim\Middleware\RoutingMiddleware-&gt	process()	
#14 /var/www/cms/lib/Middleware/TrailingSlashMiddleware.php(68): class@anonymous-&gt	handle()	
#15 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Xibo\Middleware\TrailingSlashMiddleware-&gt	process()	
#16 /var/www/cms/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(107): class@anonymous-&gt	handle()	
#17 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(147): Slim\Middleware\ErrorMiddleware-&gt	process()	
#18 /var/www/cms/vendor/slim/slim/Slim/MiddlewareDispatcher.php(81): class@anonymous-&gt	handle()	
#19 /var/www/cms/vendor/slim/slim/Slim/App.php(215): Slim\MiddlewareDispatcher-&gt	handle()	
#20 /var/www/cms/vendor/slim/slim/Slim/App.php(199): Slim\App-&gt	handle()	
#21 /var/www/cms/web/api/index.php(91): Slim\App-&gt	run()	
#22 {main}",,DEBUG		
1014,56d3fd2,"2022-04-07 21:15:00",WEB,/,GET,"Loading 1. All Objects = 0",,DEBUG		
1015,56d3fd2,"2022-04-07 21:15:00",WEB,/,GET,"Install Fonts called with options: {&quot	invalidateCache&quot	:false}",,DEBUG
1016,56d3fd2,"2022-04-07 21:15:00",WEB,/,GET,"CMS font CSS returned from Cache.",,DEBUG		
1017,56d3fd2,"2022-04-07 21:15:00",WEB,/,GET,"Showing the homepage: statusdashboard.view",,DEBUG		
1018,56d3fd2,"2022-04-07 21:15:00",WEB,/,GET,"Request stats: {		
    &quot	default&quot	: {
        &quot	select&quot	: 7
    },		
    &quot	log&quot	: {
        &quot	insert&quot	: 4
    },		
    &quot	length&quot	: 0.11856412887573242,
    &quot	memoryUsage&quot	: 20083488,
    &quot	peakMemoryUsage&quot	: 20203912
}.",,INFO		
1019,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Loading 1. All Objects = 0",,DEBUG		
1020,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Install Fonts called with options: {&quot	invalidateCache&quot	:false}",,DEBUG
1021,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"CMS font CSS returned from Cache.",,DEBUG		
1022,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Checking permissions against the logged in user: ID: 1, Name: xibo_admin, UserType: 1",,DEBUG		
1023,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Checking permissions against the logged in user: ID: 1, Name: xibo_admin, UserType: 1",,DEBUG		
1024,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Checking permissions against the logged in user: ID: 1, Name: xibo_admin, UserType: 1",,DEBUG		
1025,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Checking permissions against the logged in user: ID: 1, Name: xibo_admin, UserType: 1",,DEBUG		
1026,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Checking permissions against the logged in user: ID: 1, Name: xibo_admin, UserType: 1",,DEBUG		
1027,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"UserOption navigationMenuPosition not found",,DEBUG		
1028,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Returning the default value: 'horizontal'",,DEBUG		
1029,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"UserOption hideNavigation not found",,DEBUG		
1030,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Returning the default value: '0'",,DEBUG		
1031,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"UserOption navigationMenuPosition not found",,DEBUG		
1032,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Returning the default value: 'horizontal'",,DEBUG		
1033,96f8521,"2022-04-07 21:15:00",WEB,/statusdashboard,GET,"Request stats: {		
    &quot	default&quot	: {
        &quot	select&quot	: 12
    },

Can you try setting this to false and re-upping your containers?

Once you disable memcached, you would expect a folder in there, yes. I had you run that before just in case you already had memcached disabled.

Sorry, but I think your problem is different - you need to provide the token with the Authorization header, which you can’t do in the browser.

/opt/xibo$ docker-compose exec cms-web sh -c "ls -al /var/www/cms/library/cache"
total 16
drwxr-xr-x    4 apache   apache        4096 Apr 11 07:29 .
drwxr-xr-x    9 apache   apache        4096 Apr 11 00:00 ..
drwxr-x---    3 apache   apache        4096 Apr 11 07:28 0fea6a13c52b4d47
drwxr-x---    3 apache   apache        4096 Apr 11 07:29 1952a01898073d1e

It did not change anything in the outcome.

I think we’ve found the issue, which will be fixed in 3.1.1 due tomorrow:

Thanks for your patience.

To solve the issue before release, select only one grant type for your application.

1 Like

Where do I select the grant type?
Must I enable caching again?

Yes, you can enable caching again.

The grant is where is says “Authorisation code” and “Client Credentials” on the Application you created (where you get the clientId and clientSecret).

1 Like

Update 3.1.1 has solved my issues! Thank you for your patience to work with me.

1 Like

I had the same issue. Worked fine in 3.0.* , update to 3.1.0 failed but working again in 3.1.1

1 Like