[Iplant-api-dev] OAuth2: occasional bad refresh tokens
Duvick, Jonathan P [GDCBS]
jduvick at iastate.edu
Fri Mar 27 06:57:04 MST 2015
The API occasionally issues a 'bad' refresh_token (i.e. when submitting a refresh request, it returns a '400' http response and the following message: 'Provided Authorization Grant is invalid')
In tracing the problem I observed that the system will sometimes re-issue an 'old' set of tokens (that is, a set that was issued before but superseded by a previous 'refresh' command). In that situation, the 'new/old' refresh token is invalid in the way I describe above. I didn't test whether the access_token was valid for API access in this situation, but I would imagine it is not.
This resolves over time, even within the 4 hr lifespan of token validity-- curiously, after an hour or so, a subsequent login request will typically return a _different_ token pair that is not faulty.
The context for these observations is the process of debugging code that involves the issuing of multiple authenticate / refresh commands for the same user within a span of perhaps less than a minute. Possibly this could result in some concurrency or caching issue.
In a related question, does Agave support OAuth2 'revoke' functions? If so I can get around this issue.
Jon Duvick
PlantGDB Manager
http://www.plantgdb.org/
Department of Genetics, Development and Cell Biology
2258 Molecular Biology Building
Iowa State University
Ames IA 50011
(515) 294-2360
(515) 294-6755 FAX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iplantcollaborative.org/pipermail/iplant-api-dev/attachments/20150327/18d73057/attachment.html
More information about the Iplant-api-dev
mailing list