[Iplant-api-dev] OAuth2: occasional bad refresh tokens
Duvick, Jonathan P [GDCBS]
jduvick at iastate.edu
Sun Mar 29 12:58:55 MST 2015
Glad it's not just me! The good new is it seems to correct itself over time (the 'bad' tokens get replaced)... is that your experience also?
Jon
Jon Duvick
PlantGDB Manager
http://www.plantgdb.org/
Department of Genetics, Development and Cell Biology
2258 Molecular Biology Building
Iowa State University
Ames IA 50011
(515) 294-2360
(515) 294-6755 FAX
________________________________
From: rlwalls2008 at gmail.com <rlwalls2008 at gmail.com> on behalf of Ramona Walls <rwalls at iplantcollaborative.org>
Sent: Friday, March 27, 2015 6:38 PM
To: Duvick, Jonathan P [GDCBS]
Cc: Discussion of iPlant API development
Subject: Re: [Iplant-api-dev] OAuth2: occasional bad refresh tokens
I have noticed this response as well, but never gone to the effort to figure out what is causing it.
Ramona
------------------------------------------------------
Ramona L. Walls, Ph.D.
Scientific Analyst
The iPlant Collaborative
Thomas J. Keating Bioresearch Building
1657 East Helen St
Tucson, AZ 85721
tel: 520.626.1489
fax: 520.626.4824
rwalls at iplantcollaborative.org<mailto:rwalls at iplantcollaborative.org>
On Fri, Mar 27, 2015 at 6:57 AM, Duvick, Jonathan P [GDCBS] <jduvick at iastate.edu<mailto:jduvick at iastate.edu>> wrote:
The API occasionally issues a 'bad' refresh_token (i.e. when submitting a refresh request, it returns a '400' http response and the following message: 'Provided Authorization Grant is invalid')
In tracing the problem I observed that the system will sometimes re-issue an 'old' set of tokens (that is, a set that was issued before but superseded by a previous 'refresh' command). In that situation, the 'new/old' refresh token is invalid in the way I describe above. I didn't test whether the access_token was valid for API access in this situation, but I would imagine it is not.
This resolves over time, even within the 4 hr lifespan of token validity-- curiously, after an hour or so, a subsequent login request will typically return a _different_ token pair that is not faulty.
The context for these observations is the process of debugging code that involves the issuing of multiple authenticate / refresh commands for the same user within a span of perhaps less than a minute. Possibly this could result in some concurrency or caching issue.
In a related question, does Agave support OAuth2 'revoke' functions? If so I can get around this issue.
Jon Duvick
PlantGDB Manager
http://www.plantgdb.org/
Department of Genetics, Development and Cell Biology
2258 Molecular Biology Building
Iowa State University
Ames IA 50011
(515) 294-2360<tel:%28515%29%20294-2360>
(515) 294-6755<tel:%28515%29%20294-6755> FAX
_______________________________________________
Iplant-api-dev Mailing List: Iplant-api-dev at iplantcollaborative.org<mailto:Iplant-api-dev at iplantcollaborative.org>
List Info and Archives: http://mail.iplantcollaborative.org/mailman/listinfo/iplant-api-dev
One-click Unsubscribe: http://mail.iplantcollaborative.org/mailman/options/iplant-api-dev/rwalls%40iplantcollaborative.org?unsub=1&unsubconfirm=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iplantcollaborative.org/pipermail/iplant-api-dev/attachments/20150329/8fac2cc0/attachment.html
More information about the Iplant-api-dev
mailing list