Artifactory Cloud - Token principal mismatch on group tokens

Question

We have several groups in Artifactory Cloud which have a 'non-admin access token' assigned to them. This setup did work without an issue for almost one year. But since yesterday we're not able to use any of the group tokens anymore. Created a new group token today, but still doesn't work.

While checking the "Artifactory System logs" in the admin UI, it seems the Artifactory service was restarted yesterday (on which our depending jobs started to fail). The logs contain a lot of "Principal mismatch for token with id '[ID]'" messages.

• Debugging using curl gives us: "error 401 - Token principal mismatch"
• Performing the same step with an incorrect token indeed gives: "error 401 - Bad Credentials"
• Using the same curl statement with user/pass, works perfectly.

My conclusion is that authentication of the group tokens still works, but somehow the next step (= principal mismatch ?) is failing. Any idea how to fix this? Thanks in advance!

--Edit--

• Artifactory version: 7.23.3
• Revision: 72303900
• PostgreSQL: 9.6.20

We are using Python code from this REPO to generate group token (worked without issue last week): https://pypi.org/project/pyartifactory/1.9.1/

token = art.security.create_access_token(user_name=group_name,
                                 groups=[group.name],
                                 refreshable=False,
                                 expires_in=0)

Used this curl statement for testing:

curl -O "https://$CRED@[subscription_name].jfrog.io/artifactory/[location to Python wheel]"

If $CRED is [Username]:[Password] it works fine, but [Group]:[API token] is not working (which used to work before last Sunday; issue is with both new and existing groups/tokens).

Answer 1

You can't use group name as username in basic auth. Try bearer auth:

curl -O "https://[subscription_name].jfrog.io/artifactory/[location to Python wheel]" -H "Authoriazation: Bearer [API token]"

Checkout basic/bearer SO thread