Dex authentication periodically begins to fail for a short time

I have a concourse installation that is somewhat unorthodox but mostly works very well. I authenticate with GitHub.

Sometimes, when I try to log in via the browser, I get a blank page with this error:

Note that the GitHub client has never changed its secret and after some time, the error stops occurring and I can log in again.

Now, I noticed this interesting block in the logs of the ATC which I was logging into:

{"timestamp":"2019-08-15T17:07:43.475583346Z","level":"error","source":"atc","message":"","data":{"error":"square/go-jose: error in cryptographic primitive","session":"6.1"}}
{"timestamp":"2019-08-15T17:07:43.592000319Z","level":"error","source":"atc","message":"","data":{"error":"square/go-jose: error in cryptographic primitive","session":"6.2"}}
{"timestamp":"2019-08-15T17:07:45.300020725Z","level":"info","source":"atc","message":"atc.dex.event","data":{"fields":{},"message":"login successful: connector \"github\", username=\"ships\", email=\"\", groups=[...REDACTED...]","session":"7"}}
{"timestamp":"2019-08-15T17:07:45.325161239Z","level":"error","source":"atc","message":"","data":{"error":"oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"invalid_client\",\"error_description\":\"Invalid client credentials.\"}","session":"6.3"}}

This surprises me, and feels more like a bug than operator error, but I am prepared to believe I have configured something wrong. In particular, this error in cryptographic primitive bit in unfamiliar to me, and might be either a bug or an easy configuration fix.

I don’t recall seeing this error so frequently prior to 5.4 but I was pinned to “lastest” for some time so can’t be sure exactly that’s when this started. My ATCs are currently restarted pretty frequently as well.

Any thoughts ? Anybody recognize that error ?

Hmm, never seen that error before myself. Googling it seems to have a bunch of signs pointing to a stale cookie:

Maybe next time it happens you could try clearing your browser state and trying again? :thinking:

I have tried clearing session state one piece at a time, then all together, it does not resolve the issue. I notice in the logs above, that i have successfully logged in to github- it shows me my group membership and everything. The github app is (i believe) the only place where client credentials style sign-in occurs in this flow, so i’m surprised to see the particular error, Invalid client credentials, appear.

My intuition is that if it’s unfamiliar to you, it probably has to do with my unorthodox setup, which involves Nomad running my concourse nodes and restarting them frequently because Vault regenerates credentials. I will investigate whether my setup is misaligned with your recommended setup with Vault.