Private Instance Data Access Token Generation UUID

24 views
Skip to first unread message

Miu ki Yip

unread,
Mar 18, 2026, 2:37:40 PMMar 18
to cbiop...@googlegroups.com, Yichao Sun

Hi, 


I am trying to set up a private test cBioPortal instance with API Data Access Tokens using uuid following this outline https://docs.cbioportal.org/deployment/authorization-and-authentication/authenticating-users-via-tokens/. I wanted to know if there is a step that is missing as I am getting an error after adding to the application.properties and restarting the instance. I have added the following values into the application.properties:

# User API Token generation

dat.method=uuid

# Time for token to be live in seconds (2592000 = 30 days)

dat.ttl_seconds=2592000

# Num of access tokens that can be allocated to a user at any given time

dat.uuid.max_number_per_user=1


After restarting, the app will come up and users are able to click to the page to generate access tokens. However, it leads to an error page and the docker log reports the following error that seems to point at a database table unable to be updated:


### The error may involve org.cbioportal.legacy.persistence.mybatis.DataAccessTokenMapper.addDataAccessToken-Inline

### The error occurred while setting parameters

### SQL: INSERT         INTO data_access_tokens(TOKEN, USERNAME, EXPIRATION, CREATION)         VALUES (?, ?, ?, ?)

### Cause: java.sql.SQLIntegrityConstraintViolationException: Cannot add or update a child row: a foreign key constraint fails (`cbioportal`.`data_access_tokens`, CONSTRAINT `data_access_tokens_ibfk_1` FOREIGN KEY (`USERNAME`) REFERENCES `users` (`EMAIL`) ON DELETE CASCADE)

; Cannot add or update a child row: a foreign key constraint fails (`cbioportal`.`data_access_tokens`, CONSTRAINT `data_access_tokens_ibfk_1` FOREIGN KEY (`USERNAME`) REFERENCES `users` (`EMAIL`) ON DELETE CASCADE)] with root cause


java.sql.SQLIntegrityConstraintViolationException: Cannot add or update a child row: a foreign key constraint fails (`cbioportal`.`data_access_tokens`, CONSTRAINT `data_access_tokens_ibfk_1` FOREIGN KEY (`USERNAME`) REFERENCES `users` (`EMAIL`) ON DELETE CASCADE)

at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:118) ~[mysql-connector-j-8.2.0.jar:8.2.0]

at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) ~[mysql-connector-j-8.2.0.jar:8.2.0]

...

at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.34.jar:10.1.34]

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.34.jar:10.1.34]

at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na]


Thank you in advance for your help!



Benjamin Gross

unread,
Mar 18, 2026, 6:37:27 PMMar 18
to Miu ki Yip, cbiop...@googlegroups.com, Yichao Sun
Hi Yip (and Yichao!),

Looking closely at this error, it looks like a token was create on behalf of the user, but when the system tries to create a record in the data_access_tokens table, it fails because the user generating the token has no record in the users table.

How did you setup authentication?

Best,
Benjamin

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/cbioportal/BL4PR06MB100026E7F2CACFCB58DC8752EED4EA%40BL4PR06MB10002.namprd06.prod.outlook.com.

Miu ki Yip

unread,
Mar 19, 2026, 9:52:36 AMMar 19
to Benjamin Gross, cbiop...@googlegroups.com, Yichao Sun
Hi Benjamin,

We are using key cloak and saml. I see from key cloak under the Manage > Users tab that username = email address but the ID column is different. I’m not sure if this is the user table that it is trying to link to.

Thanks for taking the time to look at this!

From: Benjamin Gross <benjami...@gmail.com>
Date: Wednesday, March 18, 2026 at 6:37 PM
To: Miu ki Yip <miy...@med.cornell.edu>
Cc: cbiop...@googlegroups.com <cbiop...@googlegroups.com>, Yichao Sun <yis...@med.cornell.edu>
Subject: Re: [cbioportal] Private Instance Data Access Token Generation UUID

ⓘ Informational: External Sender
This sender is external to Weill Cornell Medicine. Be careful when clicking links or opening attachments.

Benjamin Gross

unread,
Mar 19, 2026, 11:37:29 AMMar 19
to Miu ki Yip, cbiop...@googlegroups.com, Yichao Sun
Hi Yip,

The uuid mechanism was an implementation that existed before Keycloak was integrated into the cBioPortal ecosystem.  Since you have Keycloak in your configuration, you want to use it as a token provider.  Your settings should be similar to the following, with the URL to your Keycloak server in place:

--dat.method=oauth2
--dat.oauth2.clientId=<YOUR_KEYCLOAK_CLIENT_ID>
--dat.oauth2.clientSecret=<DAT_OAUTH2_CLIENT_SECRET>
--dat.oauth2.accessTokenUri=https://<YOUR_KEYCLOAK_HOSTNAME>/auth/realms/<YOUR_KEYCLOAK_REALM>/protocol/openid-connect/token
--dat.oauth2.jwkUrl=https://<YOUR_KEYCLOAK_HOSTNAME>/auth/realms/<YOUR_KEYCLOAK_REALM>/protocol/openid-connect/certs
--dat.oauth2.issuer=https://<YOUR_KEYCLOAK_HOSTNAME>/auth/realms/<YOUR_KEYCLOAK_REALM>
--dat.oauth2.userAuthorizationUri=https://<YOUR_KEYCLOAK_HOSTNAME>/auth/realms/<YOUR_KEYCLOAK_REALM>/protocol/openid-connect/auth
--dat.oauth2.redirectUri=https://<YOUR_CBIOPORTAL_HOSTNAME>/api/data-access-token/oauth2
--dat.oauth2.jwtRolesPath=realm_access::roles

You can find info about these properties on the same page in the “Modifying Configuration” section (see below).

If you followed the instructions for creating a Keycloak Client (see below), you would have set it up with Access Type “confidential”.  By doing this, you can download the DAT_OAUTH2_CLIENT_SECRET from the Keycloak Client “Credentials” tab.

Let me know how it goes.

-Benjamin



Miu ki Yip

unread,
Mar 26, 2026, 2:53:14 PMMar 26
to Benjamin Gross, cbiop...@googlegroups.com, Yichao Sun
Hi Benjamin,

Thank you! I was able to get tokens generated by users. I attempted to use a token that I generated with my account to retrieve study data using the api but it seems like it only works for anything that is public data on the private cBioPortal instance. I am unable to retrieve any custom studies via API even though I can view it from the UI interface. Is there a setting that should be adjusted on keycloak to allow for API access to studies like that or is there a different authentication header that is supposed to be used in the curl?

Here is an example curl that I’ve taken from the swagger page:

curl -X GET “[hostname]/api/studies/[study_name]/samples?projection=SUMMARY&pageSize=10000000&pageNumber=0&direction=ASC" -H "accept: application/json" -H "Authorization: Bearer token”


It returns:

{"message":"Access to the specified resource has been forbidden"}

Benjamin Gross

unread,
Mar 26, 2026, 4:27:43 PMMar 26
to Miu ki Yip, cbiop...@googlegroups.com, Yichao Sun
Hi Yip,

I’m guessing that the value of dat.oauth2.jwtRolesPath may be incorrect.  If this value is incorrect, it’s caught silently and the code returns an empty role list.  With no roles, the user has no granted authorities so they can only see public studies.

You should inspect an actual JWT and see what the structure looks like.  The following section in the documentation describes how to do this:



Best,
-Benjamin

On Mar 26, 2026, at 2:52 PM, Miu ki Yip <miy...@med.cornell.edu> wrote:

Hi Benjamin,

Reply all
Reply to author
Forward
0 new messages