Skip to content

Cannot get Kvasir to consistently recognize registered UMA server + confusing error when registering slices

I am currently experiencing an issue where even though an UMA server is registered, Kvasir cannot always recognize it when posting to http://localhost:8080/alice/slices. It will reply that the issuer is http://localhost:8280/realms/quarkus instead of http://localhost:4000/uma. I have attached a screenshow below showing my UMA settings: image

Sending a get request to http://localhost:8080/alice/rebac/relationships does seems to return the expected values:

{
    "@graph": [
        {
            "@id": "urn:kvasir-user:alice",
            "@type": "kss-fga:User",
            "kss-fga:owner": {
                "@id": "http://localhost:8080/alice",
                "@type": "kss-fga:Resource"
            }
        },
        {
            "@id": "urn:kvasir-wildcard",
            "@type": "kss-fga:User",
            "kss-fga:owner": {
                "@id": "http://localhost:8080/alice",
                "@type": "kss-fga:Resource",
                "kss-fga:external_access": {
                    "@id": "kss-fga:Uma"
                }
            }
        }
    ],
    "@context": {
        "kss": "https://kvasir.discover.ilabt.imec.be/vocab#",
        "kss-fga": "https://kvasir.discover.ilabt.imec.be/fine-grained-access#"
    }
}

And the following policies have been set:

      {
        name: "owner_slice_management",
        assignee: USER_UMA_ID,
        assigner: USER_UMA_ID,
        scopes: ["read", "write", "delete"],
        target: POD_URL + "/slices",
        client: CLIENT_UMA_ID,
      }

The strange part is that this behavior is not consistent; I have confirmed that I am using the same version of Kvasir and UMA as Pol, the same scripts and have removed my volumes of both Kvasir and UMA before each test run, but it seems to work perfectly fine for Pol whereas I get the issue described above.

However, the issue above does not always occur, I have confirmed that this happens on 3 separate machines, but on one of them this usually does not happen and I get a 500 error instead. So here Kvasir does recognize UMA as the authorization server but once the RPT token from the UMA server gets sent to Kvasir, I get the following error:

kvasir-1  | 2026-03-07 10:28:34,266 ERROR [idlab.quarkus.ext.pep.openfga.runtime.OpenFgaPepFilter] (vert.x-eventloop-thread-10) java.lang.IllegalArgumentException: Attribute 'sub' not found in JWT claims

When inspecting the RPT being sent, it does indeed not contain the sub attribute:

{
  "permissions": [
    {
      "resource_id": "http://localhost:8080/alice/slices",
      "resource_scopes": [
        "urn:example:css:modes:write"
      ]
    }
  ],
  "iat": 1772633597,
  "iss": "http://localhost:4000/uma",
  "aud": "solid",
  "exp": 1772633897,
  "jti": "938afdb5-37e8-4912-971d-fdd93a38d866"
}

The exact post request being sent is the following:

{
  method: 'POST',
  headers: Headers {
    'Content-Type': 'application/ld+json',
    Authorization: 'Bearer eyJhbGciOiJFUzI1NiJ9.eyJwZXJtaXNzaW9ucyI6W3sicmVzb3VyY2VfaWQiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYWxpY2Uvc2xpY2VzIiwicmVzb3VyY2Vfc2NvcGVzIjpbInVybjpleGFtcGxlOmNzczptb2Rlczp3cml0ZSJdfV0sImlhdCI6MTc3Mjg4NDE4MCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0MDAwL3VtYSIsImF1ZCI6InNvbGlkIiwiZXhwIjoxNzcyODg0NDgwLCJqdGkiOiIwMWZhNDdmNC0xNDYxLTRiNWItYWFiMS1jYzQ3ZjI5ZTY1ZmUifQ.yp4-vpPvGh-V7c__QRzR7Cu1LmO9tcMNYoUlvbvy_SUDrXUCESaMv7AYz1KU1GDPMLY_kk2InEepu3EAJWyxwQ'
  },
  body: '{"@context":{"kss":"https://kvasir.discover.ilabt.imec.be/vocab#","schema":"http://schema.org/","ex":"http://example.org/"},"kss:name":"AggregatorDemoSlice","kss:description":"Slice for aggregator demo","kss:schema":"\\ntype Query {\\n  observations: [ex_Observation]!\\n  observation(id: ID!): ex_Observation\\n}\\n\\ntype ex_Observation {\\n  id: ID!\\n  ex_value: Int!\\n  ex_unit: String!\\n  ex_timestamp: DateTime!\\n}\\n\\ntype Mutation {\\n  add(obs: [ObservationInput!]!): ID!\\n}\\n\\ntype Subscription {\\n  observationAdded: ex_Observation!\\n}\\n  \\ninput ObservationInput @class(iri: \\"ex:Observation\\") {\\n  id: ID!\\n  ex_value: Int!\\n  ex_unit: String!\\n  ex_timestamp: DateTime!\\n}"}'
}

This particular machine where this error occurs has also gotten the first described issue once, but I have not been able to reproduce that error and always end up with the other error instead. All 3 machines use identical setups with the same scripts where all volumes have been deleted before each test run. I have attached the exact scripts used as well in test.zip. The entry point is in setup-pod.ts and the only configs that need to be set are in the first few lines of that file. test.zip