Failing Cloud Foundry (CF) authentication after OAuth Token Expiry

Problem

 Introduction

The cf auth method provides an automated mechanism to retrieve a Vault token for CF instances. For more information on the CF Auth method refer to the documentation here Cloud Foundry (CF) auth method.

When the OAuth token for the CF Auth Method expires the following error occurs:

vault login -method=cf -path=cf role=cf-role

Error authenticating: Error making API request.

Namespace: ns1/
URL: PUT https://vault.internal.org:8200/v1/auth/cf/login
Code: 400. Errors:

* Error requesting apps: Get "https://.../v2/apps/39584f56-f509-45e2-b3f7-xxxxxxxx?inline-relations-depth=2": oauth2: "invalid_token" "Could not verify token signature.

Cause

CF Auth Method relies on oauth access tokens, which can expire, be revoked or fail for many reasons. In previous versions, the plugin created a new client per request. The per-request client introduced unnecessary overhead involving port exhaustion. To solve this, the CF auth plugin was modified to share a single client instance.

In v0.18.0 of the cf-auth-plugin a change was introduced:

Use a single CF client for all requests to avoid connection exhaustion GH-86 GH-87

Triggering a reload of the config via vault write auth/cf/config or tuning the mount will generate a new client request which in turn will resolve the error until next OAuth token expiry

Additional Resources

Vault Documentation: Cloud Foundry (CF) auth method

CF Auth Change Log: v0.18.0