Private Instance Data Access Token Generation UUID

13 views
Skip to first unread message

Miu ki Yip

unread,
Mar 18, 2026, 2:37:40 PM (4 days ago) Mar 18
to cbiop...@googlegroups.com, Yichao Sun

Hi, 


I am trying to set up a private test cBioPortal instance with API Data Access Tokens using uuid following this outline https://docs.cbioportal.org/deployment/authorization-and-authentication/authenticating-users-via-tokens/. I wanted to know if there is a step that is missing as I am getting an error after adding to the application.properties and restarting the instance. I have added the following values into the application.properties:

# User API Token generation

dat.method=uuid

# Time for token to be live in seconds (2592000 = 30 days)

dat.ttl_seconds=2592000

# Num of access tokens that can be allocated to a user at any given time

dat.uuid.max_number_per_user=1


After restarting, the app will come up and users are able to click to the page to generate access tokens. However, it leads to an error page and the docker log reports the following error that seems to point at a database table unable to be updated:


### The error may involve org.cbioportal.legacy.persistence.mybatis.DataAccessTokenMapper.addDataAccessToken-Inline

### The error occurred while setting parameters

### SQL: INSERT         INTO data_access_tokens(TOKEN, USERNAME, EXPIRATION, CREATION)         VALUES (?, ?, ?, ?)

### Cause: java.sql.SQLIntegrityConstraintViolationException: Cannot add or update a child row: a foreign key constraint fails (`cbioportal`.`data_access_tokens`, CONSTRAINT `data_access_tokens_ibfk_1` FOREIGN KEY (`USERNAME`) REFERENCES `users` (`EMAIL`) ON DELETE CASCADE)

; Cannot add or update a child row: a foreign key constraint fails (`cbioportal`.`data_access_tokens`, CONSTRAINT `data_access_tokens_ibfk_1` FOREIGN KEY (`USERNAME`) REFERENCES `users` (`EMAIL`) ON DELETE CASCADE)] with root cause


java.sql.SQLIntegrityConstraintViolationException: Cannot add or update a child row: a foreign key constraint fails (`cbioportal`.`data_access_tokens`, CONSTRAINT `data_access_tokens_ibfk_1` FOREIGN KEY (`USERNAME`) REFERENCES `users` (`EMAIL`) ON DELETE CASCADE)

at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:118) ~[mysql-connector-j-8.2.0.jar:8.2.0]

at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) ~[mysql-connector-j-8.2.0.jar:8.2.0]

...

at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.34.jar:10.1.34]

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.34.jar:10.1.34]

at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na]


Thank you in advance for your help!



Benjamin Gross

unread,
Mar 18, 2026, 6:37:27 PM (4 days ago) Mar 18
to Miu ki Yip, cbiop...@googlegroups.com, Yichao Sun
Hi Yip (and Yichao!),

Looking closely at this error, it looks like a token was create on behalf of the user, but when the system tries to create a record in the data_access_tokens table, it fails because the user generating the token has no record in the users table.

How did you setup authentication?

Best,
Benjamin

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/cbioportal/BL4PR06MB100026E7F2CACFCB58DC8752EED4EA%40BL4PR06MB10002.namprd06.prod.outlook.com.

Miu ki Yip

unread,
Mar 19, 2026, 9:52:36 AM (3 days ago) Mar 19
to Benjamin Gross, cbiop...@googlegroups.com, Yichao Sun
Hi Benjamin,

We are using key cloak and saml. I see from key cloak under the Manage > Users tab that username = email address but the ID column is different. I’m not sure if this is the user table that it is trying to link to.

Thanks for taking the time to look at this!

From: Benjamin Gross <benjami...@gmail.com>
Date: Wednesday, March 18, 2026 at 6:37 PM
To: Miu ki Yip <miy...@med.cornell.edu>
Cc: cbiop...@googlegroups.com <cbiop...@googlegroups.com>, Yichao Sun <yis...@med.cornell.edu>
Subject: Re: [cbioportal] Private Instance Data Access Token Generation UUID

ⓘ Informational: External Sender
This sender is external to Weill Cornell Medicine. Be careful when clicking links or opening attachments.

Benjamin Gross

unread,
Mar 19, 2026, 11:37:29 AM (3 days ago) Mar 19
to Miu ki Yip, cbiop...@googlegroups.com, Yichao Sun
Hi Yip,

The uuid mechanism was an implementation that existed before Keycloak was integrated into the cBioPortal ecosystem.  Since you have Keycloak in your configuration, you want to use it as a token provider.  Your settings should be similar to the following, with the URL to your Keycloak server in place:

--dat.method=oauth2
--dat.oauth2.clientId=<YOUR_KEYCLOAK_CLIENT_ID>
--dat.oauth2.clientSecret=<DAT_OAUTH2_CLIENT_SECRET>
--dat.oauth2.accessTokenUri=https://<YOUR_KEYCLOAK_HOSTNAME>/auth/realms/<YOUR_KEYCLOAK_REALM>/protocol/openid-connect/token
--dat.oauth2.jwkUrl=https://<YOUR_KEYCLOAK_HOSTNAME>/auth/realms/<YOUR_KEYCLOAK_REALM>/protocol/openid-connect/certs
--dat.oauth2.issuer=https://<YOUR_KEYCLOAK_HOSTNAME>/auth/realms/<YOUR_KEYCLOAK_REALM>
--dat.oauth2.userAuthorizationUri=https://<YOUR_KEYCLOAK_HOSTNAME>/auth/realms/<YOUR_KEYCLOAK_REALM>/protocol/openid-connect/auth
--dat.oauth2.redirectUri=https://<YOUR_CBIOPORTAL_HOSTNAME>/api/data-access-token/oauth2
--dat.oauth2.jwtRolesPath=realm_access::roles

You can find info about these properties on the same page in the “Modifying Configuration” section (see below).

If you followed the instructions for creating a Keycloak Client (see below), you would have set it up with Access Type “confidential”.  By doing this, you can download the DAT_OAUTH2_CLIENT_SECRET from the Keycloak Client “Credentials” tab.

Let me know how it goes.

-Benjamin



Reply all
Reply to author
Forward
0 new messages