Skip to content

Refresh service account tokens #154 #271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Refresh service account tokens #154 #271

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 10 additions & 23 deletions src/main/java/org/jgroups/protocols/kubernetes/Client.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import java.io.InputStream;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
Expand All @@ -21,7 +22,6 @@
*/
public class Client {
protected final String masterUrl;
protected final Map<String, String> headers;
protected final int connectTimeout;
protected final int readTimeout;
protected final int operationAttempts;
Expand All @@ -30,29 +30,19 @@ public class Client {
protected final String info;
protected final Log log;

public Client(String masterUrl, Map<String, String> headers, int connectTimeout, int readTimeout, int operationAttempts,
public Client(String masterUrl, int connectTimeout, int readTimeout, int operationAttempts,
long operationSleep, StreamProvider streamProvider, Log log) {
this.masterUrl = masterUrl;
this.headers = headers;
this.connectTimeout = connectTimeout;
this.readTimeout = readTimeout;
this.operationAttempts = operationAttempts;
this.operationSleep = operationSleep;
this.streamProvider = streamProvider;
this.log=log;
Map<String, String> maskedHeaders=new TreeMap<>();
if (headers != null) {
for (Map.Entry<String, String> header : headers.entrySet()) {
String key = header.getKey();
String value = header.getValue();
if ("Authorization".equalsIgnoreCase(key) && value != null)
value = "#MASKED:" + value.length() + "#";
maskedHeaders.put(key, value);
}
}
info=String.format("%s[masterUrl=%s, headers=%s, connectTimeout=%s, readTimeout=%s, operationAttempts=%s, " +

info=String.format("%s[masterUrl=%s, connectTimeout=%s, readTimeout=%s, operationAttempts=%s, " +
"operationSleep=%s, streamProvider=%s]",
getClass().getSimpleName(), masterUrl, maskedHeaders, connectTimeout, readTimeout,
getClass().getSimpleName(), masterUrl, connectTimeout, readTimeout,
operationAttempts, operationSleep, streamProvider);
}

Expand All @@ -71,7 +61,7 @@ protected String fetchFromKubernetes(String op, String namespace, String labels,
InputStream stream=null;
String retval=null;
try {
stream=openStream(url, headers, connectTimeout, readTimeout, operationAttempts, operationSleep, streamProvider);
stream=openStream(url, new HashMap<>(), connectTimeout, readTimeout, operationAttempts, operationSleep, streamProvider);
retval=Util.readContents(stream);
if(dump_requests)
System.out.printf("--> %s\n<-- %s\n", url, retval);
Expand Down Expand Up @@ -231,19 +221,16 @@ protected boolean podRunning(Json podStatus) {
return false;
}
// 5. ready condition must be "True"
Boolean readyCondition = Boolean.FALSE;
boolean readyCondition = Boolean.FALSE;
List<Json> conditions = podStatus.at("conditions").asJsonList();
// walk through all the conditions and find type=="Ready" and get the value of the status property
for(Json condition: conditions) {
String type = condition.at("type").asString();
if(type.equalsIgnoreCase("Ready")) {
readyCondition = new Boolean(condition.at("status").asString());
readyCondition = Boolean.parseBoolean(condition.at("status").asString());
}
}
log.trace( "conditions with type==\"Ready\" has status property value = %s", readyCondition.toString());
if(!readyCondition.booleanValue()) {
return false;
}
return true;
log.trace( "conditions with type==\"Ready\" has status property value = %s", Boolean.toString(readyCondition));
return readyCondition;
}
}
12 changes: 3 additions & 9 deletions src/main/java/org/jgroups/protocols/kubernetes/KUBE_PING.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import org.jgroups.protocols.PingHeader;
import org.jgroups.protocols.kubernetes.stream.CertificateStreamProvider;
import org.jgroups.protocols.kubernetes.stream.StreamProvider;
import org.jgroups.protocols.kubernetes.stream.TokenProvider;
import org.jgroups.protocols.kubernetes.stream.TokenStreamProvider;
import org.jgroups.stack.IpAddress;
import org.jgroups.util.NameCache;
Expand Down Expand Up @@ -149,24 +150,17 @@ public void init() throws Exception {
return; // no further initialization necessary
}
log.info("namespace %s set; clustering enabled", namespace);
Map<String,String> headers=new HashMap<>();
StreamProvider streamProvider;
if(clientCertFile != null) {
if(masterProtocol == null)
masterProtocol="http";
streamProvider=new CertificateStreamProvider(clientCertFile, clientKeyFile, clientKeyPassword, clientKeyAlgo, caCertFile);
}
else {
String saToken=readFileToString(saTokenFile);
if(saToken != null) {
// curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
// https://172.30.0.2:443/api/v1/namespaces/dward/pods?labelSelector=application%3Deap-app
headers.put("Authorization", "Bearer " + saToken);
}
streamProvider = new TokenStreamProvider(saToken, caCertFile);
streamProvider = new TokenStreamProvider(new TokenProvider(saTokenFile), caCertFile);
}
String url=String.format("%s://%s:%s/api/%s", masterProtocol, masterHost, masterPort, apiVersion);
client=new Client(url, headers, connectTimeout, readTimeout, operationAttempts, operationSleep, streamProvider, log);
client=new Client(url, connectTimeout, readTimeout, operationAttempts, operationSleep, streamProvider, log);
log.debug("KubePING configuration: " + toString());
}

Expand Down
50 changes: 50 additions & 0 deletions src/main/java/org/jgroups/protocols/kubernetes/stream/TokenProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
package org.jgroups.protocols.kubernetes.stream;

import mjson.Json;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.logging.Logger;

import static org.jgroups.protocols.kubernetes.Utils.readFileToString;

public class TokenProvider
{
private static final Logger log = Logger.getLogger(TokenProvider.class.getName());
private final String tokenFile;
private volatile long tokenExpiry;
private volatile String token;

public TokenProvider(String tokenFile) {
this.tokenFile = tokenFile;
}

public String getToken() throws IOException {
long currentTime = System.currentTimeMillis() / 1000;
if (token == null || (tokenExpiry > 0 && tokenExpiry < currentTime)) {
Copy link
Member

@rhusar rhusar Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@phani0207 This is relying on the fact that the system clock time is in sync between the pod and the k8s control plane and that the token is updated in time on the pod. I am assuming this is normally handled by refreshing the token early or leeway on the server – none of which seem to be an option here.

Any chance you have given some thought to this? I am wondering whether we need to retry a 401 to address this situation.

Copy link
Author

@phani0207 phani0207 Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok to give some background, we use KUBE_PING in our production for cluster discovery and communication. This started failing when we migrated to k8s on azure as azure refreshes the token every hour. In aws we never faced the issue as the token expiry is 1 year and we restart the pod before the token expires. We have this code currently deployed in our environment as we could not wait for this commit.

Retry already happens at the Utils.openStream call. So even if a call fails intermittently. it will recover in the next attempt. The responsibility of refreshing the token is with the k8s service and client does not have any control on that. As far as clock sync is concerned, I am not sure if there is a way we can handle it.
When considering the implementation, I also considered relying on the token file modified time, but it did not feel logical. Hence went with the current approach.
As far as I have investigated, there is a buffer of 7 secs on the azure before the token expires.

Copy link
Member

@rhusar rhusar Nov 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we use KUBE_PING in our production for cluster discovery and communication

Cool stuff @phani0207 Out of curiosity, is this within WildFly or Infinispan or something else? Since I will be back-porting this to older branches.

Retry already happens at the Utils.openStream call.

Right, good point, the retry there is 1 second (controlled by KUBERNETES_OPERATION_SLEEP) and attempts is 3 (KUBERNETES_OPERATION_ATTEMPTS) so that might address majority of time skew well enough.

The responsibility of refreshing the token is with the k8s service and client does not have any control on that.

Right, that's what I meant by 'none of which seem to be an option here.'; I should have been more clear.

When considering the implementation, I also considered relying on the token file modified time, but it did not feel logical. Hence went with the current approach.

I was thinking about that too but I wonder how reliable that is across different implementors/vendors.

As far as I have investigated, there is a buffer of 7 secs on the azure before the token expires.

OK so there appears to be some leeway in this case.
So I think this all checks!

Copy link
Author

@phani0207 phani0207 Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rhusar Neither. We use jgroups as a TPL and have logic for cluster initialization and communication in multiple microservices in our deployment.

synchronized (this) {
if (token == null || (tokenExpiry > 0 && tokenExpiry < currentTime)) {
log.info("Refreshing token from file " + tokenFile);
token = readFileToString(tokenFile).trim();
tokenExpiry = getExpiry(token);
}
}
}
return token;
}

static long getExpiry(String jwtToken) throws IOException {
try {
String[] parts = jwtToken.split("\\.");
if (parts.length < 2) throw new IOException("Invalid JWT token");
String payloadJson = new String(Base64.getUrlDecoder().decode(parts[1]), StandardCharsets.UTF_8);
Json payload = Json.read(payloadJson);
if (payload.has("exp")) return payload.at("exp").asLong();
log.info("No 'exp' claim found.");
} catch (Exception e) {
throw new IOException("Error decoding JWT: " + e.getMessage());
}
return -1;
}
}
26 changes: 15 additions & 11 deletions src/main/java/org/jgroups/protocols/kubernetes/stream/TokenStreamProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
package org.jgroups.protocols.kubernetes.stream;

import static org.jgroups.protocols.kubernetes.Utils.openFile;
import static org.jgroups.protocols.kubernetes.Utils.readFileToString;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
Expand All @@ -31,20 +33,27 @@ public class TokenStreamProvider extends BaseStreamProvider {

private static final Logger log = Logger.getLogger(TokenStreamProvider.class.getName());

private String token;
private final TokenProvider tokenProvider;

private String caCertFile;
private final String caCertFile;

private SSLSocketFactory factory;
private volatile SSLSocketFactory factory;

public TokenStreamProvider(String token, String caCertFile) {
this.token = token;
public TokenStreamProvider(TokenProvider tokenProvider, String caCertFile) {
this.tokenProvider = tokenProvider;
this.caCertFile = caCertFile;
}

@Override
public InputStream openStream(String url, Map<String, String> headers, int connectTimeout, int readTimeout)
throws IOException {
String saToken = tokenProvider.getToken();
if (saToken != null) {
// curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
// https://172.30.0.2:443/api/v1/namespaces/dward/pods?labelSelector=application%3Deap-app
headers.put("Authorization", "Bearer " + saToken);
}

URLConnection connection = openConnection(url, headers, connectTimeout, readTimeout);

if (connection instanceof HttpsURLConnection) {
Expand All @@ -60,15 +69,10 @@ public InputStream openStream(String url, Map<String, String> headers, int conne
}
}

if (token != null) {
// curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
// https://172.30.0.2:443/api/v1/namespaces/dward/pods?labelSelector=application%3Deap-app
headers.put("Authorization", "Bearer " + token);
}
return connection.getInputStream();
}

static TrustManager[] configureCaCert(String caCertFile) throws Exception {
static TrustManager[] configureCaCert(String caCertFile) throws Exception {
if (caCertFile != null && !caCertFile.isEmpty()) {
try {
InputStream pemInputStream = openFile(caCertFile);
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/org/jgroups/ping/kube/test/TestClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ public TestClient() throws URISyntaxException, IOException {
}

public TestClient(String jsonFile) throws URISyntaxException, IOException {
super(null, null, 0, 0, 0, 0,
super(null, 0, 0, 0, 0,
null, LogFactory.getLog(TestClient.class));
String json = readFileToString(new File(TestClient.class.getResource(jsonFile).toURI()));
OPS.put("pods", json);
Expand Down
112 changes: 112 additions & 0 deletions src/test/java/org/jgroups/protocols/kubernetes/stream/TokenProviderTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
package org.jgroups.protocols.kubernetes.stream;

import mjson.Json;
import org.junit.Before;
import org.junit.Test;

import java.io.File;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.util.Base64;

import static org.jgroups.protocols.kubernetes.Utils.readFileToString;
import static org.junit.Assert.*;

public class TokenProviderTest
{
private static final String JWT_PREFIX = "eyJhbGciOiJIUzI1NiJ9.";
private String validJwtWithExpiry;
private String validJwtWithoutExpiry;
private static final String INVALID_JWT = "invalid.jwt.token";
private File tempTokenFile;
private TokenProvider tokenProvider;

@Before
public void setUp() throws IOException, URISyntaxException {
validJwtWithExpiry = readFileToString(new File(TokenProvider.class.getResource("/tokenWithExpiry.txt").toURI()));
validJwtWithoutExpiry = readFileToString(new File(TokenProvider.class.getResource("/tokenWithoutExpiry.txt").toURI()));
tempTokenFile = File.createTempFile("token", ".txt");
tempTokenFile.deleteOnExit();
tokenProvider = new TokenProvider(tempTokenFile.getAbsolutePath());
}

@Test
public void returnsTokenWhenFileContainsValidJWT() throws IOException {
Files.writeString(tempTokenFile.toPath(), validJwtWithExpiry);
String token = tokenProvider.getToken();
assertEquals(validJwtWithExpiry, token);
}

@Test
public void throwsIOExceptionWhenFileContainsInvalidJWT() throws IOException {
Files.writeString(tempTokenFile.toPath(), INVALID_JWT);
assertThrows(IOException.class, () -> tokenProvider.getToken());
}

@Test
public void returnsSameTokenIfNotExpired() throws IOException {
Files.writeString(tempTokenFile.toPath(), validJwtWithExpiry);
String token1 = tokenProvider.getToken();
String token2 = tokenProvider.getToken();
assertEquals(token1, token2);
}

@Test
public void refreshesTokenWhenExpired() throws IOException, InterruptedException {
Files.writeString(tempTokenFile.toPath(), validJwtWithExpiry);
updateTokenExpiryInFile(tempTokenFile, (System.currentTimeMillis() + 1000) / 1000); // Set expiry in the past
String token1 = tokenProvider.getToken();
Thread.sleep(2000L);
updateTokenExpiryInFile(tempTokenFile, (System.currentTimeMillis() + 1000) / 1000); // Set expiry in the past
String toekn2 = tokenProvider.getToken();
assertNotEquals(token1, toekn2);
}

@Test
public void throwsIOExceptionForInvalidJWTExpiry() {
assertThrows(IOException.class, () -> TokenProvider.getExpiry(INVALID_JWT));
}

@Test
public void returnsExpiryForValidJWT() throws IOException {
Files.writeString(tempTokenFile.toPath(), validJwtWithExpiry);
long tokenExpiry = (System.currentTimeMillis() + 10000) / 1000;
updateTokenExpiryInFile(tempTokenFile, tokenExpiry); // JWT 'exp' is in seconds
long expiry = TokenProvider.getExpiry(tokenProvider.getToken());
assertEquals(tokenExpiry, expiry);
}

@Test
public void returnsMinusOneForJWTWithoutExpiry() throws IOException {
Files.writeString(tempTokenFile.toPath(), validJwtWithoutExpiry);
long expiry = TokenProvider.getExpiry(tokenProvider.getToken());
assertEquals(-1, expiry);
}

public static void updateTokenExpiryInFile(File tokenFile, long newExpiry) throws IOException {
String token = Files.readString(tokenFile.toPath()).trim();
String[] parts = token.split("\\.");
if (parts.length < 3) throw new IOException("Invalid JWT token format");

// Decode payload
String payloadJson = new String(Base64.getUrlDecoder().decode(parts[1]), StandardCharsets.UTF_8);
Json payload = Json.read(payloadJson);

// Update expiry
payload.set("exp", newExpiry);

// Re-encode payload
String newPayload = Base64.getUrlEncoder().withoutPadding()
.encodeToString(payload.toString().getBytes(StandardCharsets.UTF_8));

// Reconstruct token
String newToken = parts[0] + "." + newPayload + "." + parts[2];

// Save to file
Files.write(tokenFile.toPath(), newToken.getBytes(StandardCharsets.UTF_8));
}

}

1 change: 1 addition & 0 deletions src/test/resources/tokenWithExpiry.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
eyJhbGciOiJSUzI1NiIsImtpZCI6ImQyNWM2ZjQyODRhMTZlNzA0N2JkOWEwMWNmOWIxNGFkOWFmNWY3NzUifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTc5MjY1ODc5MywiaWF0IjoxNzYxMTIyNzkzLCJpc3MiOiJodHRwczovL29pZGMuZWtzLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tL2lkLzFDMEU0M0U4QUZBOTI2RDg4REUyMUJCMUI5QkU3QzlCIiwianRpIjoiMjkwNjViNWItYTg4ZC00ZGE2LWJhNjktZGRjYzA2OTdiZGQ1Iiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJjYWktcWEtbWwiLCJub2RlIjp7Im5hbWUiOiJpcC0xMC0yMC0yMDQtMjkudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWwiLCJ1aWQiOiJkMzE5ZmYwYi03YjAxLTQxYWMtOWMxYS1hODc2NmNmMzFjYWMifSwicG9kIjp7Im5hbWUiOiJhcHBsaWNhdGlvbi1pbnRlZ3JhdGlvbi1vYm0tMCIsInVpZCI6IjNiNjM3MjBhLTc1YTctNDllNS1iOTFhLTZmNTZhNjJhZDJjMiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiY2Fpc2VydmljZS1zZXJ2aWNlLWFjY291bnQiLCJ1aWQiOiJkMzE1MWE1My1mODk4LTQ5MTMtYjczNC00MTU1ZmY0MWY0NjAifSwid2FybmFmdGVyIjoxNzYxMTI2NDAwfSwibmJmIjoxNzYxMTIyNzkzLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6Y2FpLXFhLW1sOmNhaXNlcnZpY2Utc2VydmljZS1hY2NvdW50In0.dW2Ekvy9ltpmLGHrE7JrS7F4VE2lqdY2PtKiQqdbca9ED7s7njq9QnP8STolxT7z3MNlee7ayZC2RGIoz_Hs84dKncQZDvxmVgHTgWI9ohaA2tFLUWBfEwx1WTGrlN6pL_DN_7kJlxZkAQeTAmmCPTYI6-mFyqZ9sjCuavzVvQBJ5cH7sqRg7R8FQDMaq45GF-G8I2QfWg7Pqz298F8AU8891AtxTh5K2jawFoWBqcp5BieozNgmdR76amktcL45AxvKj1nW5zW53zSEPRVxUgYoEq8r6rnRGULRW2mqohpFLS-ZbPfRJZM9FPpRA4LYNX_84tlaKdUqB8t4BjQfTQa
1 change: 1 addition & 0 deletions src/test/resources/tokenWithoutExpiry.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
eyJhbGciOiJSUzI1NiIsImtpZCI6IlJIeHZ6Z1d5NWFiekhLakFGczBwYjlxemNIdjdhWVN5S0ZfdTF3czFENVkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYWktcHJvZC1hemNhYzIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2FpLXNlcnZpY2UtYWNjb3VudC1rdWJlcGluZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjYWktc2VydmljZS1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTEwYzk5OTMtOTZmMS00OTQ4LTk2OWMtM2ZiNjZmNDk4NDRmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmNhaS1wcm9kLWF6Y2FjMjpjYWktc2VydmljZS1hY2NvdW50In0.Ko3nOwk-aumtdCMomNcunV_7GD1_gK2pbR1L9IKRsfs_0srgzc3UyqNL-XrbdFhuy-VHF708299ArjSpUzhkdaD1zx1PvoHzMLS5ivgTPfnhSYrAmBOSFTFQjgUZzndDkxHcxwDhq3x7yRZsizKJ5V000cgHT5JGPWEpGmwPQkY4GsaT5ZLv324ZxtggUHoqXWeYYWciZKERenVtz1V5TJofEpmmau7fitb2iM5DnpJH_W6KYaEzQozDBqJ-EhaWjQn8bFJgi08N_ZA_qDOsCtNwIphrLPiUnmLS6F2TU_584njNawBE_vrcJL82J7M2f2g6eroE_DeEoDMmd9d77ZCF3Zy94fW_9x_CFF242g2EbD6yLGNZXvsNrf0qA6-DMA2Ihft6QxeNJX9ETDDroJ6IPUc13Zq_SmZdqLeCCwAQpajBbCCyU6ih8xsyxa1Os_bjmTdT2OUGQ8FBIkmJfTFnmMCrqsd60CZ--cPY9OGBmloJbZ3OEDNWPmb75pTulIgAy1b79bzco3y4qSiWeQ1-WI6hNaogf-sIVlkm1Q7Sh0IczlalJGcqIHbkFjYezY3ZR6PnjUKjGXDqqDpFMwjGo-F-tNwt3AgPjEJD0LdhUBFtnsW5T38RQIYFEuHyJT4YHKOCQ3iSDMyb1EY_sm3qnj6vEnjdRh_jthat3e8