[23.1] Renew access tokens from PSA using valid refresh tokens #20040
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Method `PSAAuthnz.refresh()` from psa_authnz.py holds its promise to refresh tokens only if they reached their half lifetime. However, that does not exclude expired tokens. Add an extra comparison to exclude expired refresh tokens.
|
@bgruening this fixes some (not all) LS-AAI errors. |
|
@kysrpex thanks a lot. @martenson ping ... |
martenson
reviewed
Apr 18, 2025
| if ( | ||
| int(user_authnz_token.extra_data["auth_time"]) + int(expires) / 2 | ||
| <= int(time.time()) | ||
| < int(user_authnz_token.extra_data["auth_time"]) + int(expires) |
There was a problem hiding this comment.
The tokens I am getting have e.g. "exp": 1739534619 so the operation you are doing here will compare to year ~2080. I think you just need the expiration time here.
There was a problem hiding this comment.
That's confusing. In the database (table oidc_user_authnz_tokens), I have tokens with provider in ('elixir', 'egi-checkin') (those are the only providers) and their extra_data looks like this.
{
"access_token": "************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
"auth_time": 1738768462,
"expires_in": 3600,
"id_token": "**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
"refresh_token": "*************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
"token_type": "Bearer"
}Don't the tokens you are referring to come from table custos_authnz_token? Those indeed seem to use an expiration timestamp (rather than an increment that has to be added to a timestamp).
There was a problem hiding this comment.
@kysrpex ugh, that is a disastrous split on how to handle this. :/
Maybe just my tokens (which are indeed from custos_authnz_token) are different, however on L174 you are checking for expires in addition to expires_in though -- could these two have different handling even in the same codepath?
martenson
reviewed
Apr 25, 2025
| @@ -179,7 +179,11 @@ def refresh(self, trans, user_authnz_token): | |||
| else: | |||
| log.debug("No `expires` or `expires_in` key found in token extra data, cannot refresh") | |||
| return False | |||
| if int(user_authnz_token.extra_data["auth_time"]) + int(expires) / 2 <= int(time.time()): | |||
| if ( | |||
| int(user_authnz_token.extra_data["auth_time"]) + int(expires) / 2 | |||
There was a problem hiding this comment.
if the expires is "seconds to expire from issue time" then this comparison is broken I think
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Method
PSAAuthnz.refresh()from psa_authnz.py holds its promise to refresh tokens only if they reached their half lifetime. However, that does not exclude expired tokens. Add an extra comparison to exclude expired refresh tokens.This fix gets rid of this kind of error:
Apr 17 15:54:53 sn06.galaxyproject.eu gunicorn[2716973]: requests.exceptions.HTTPError: 401 Client Error: 401 for url: https://login.elixir-czech.org/oidc/token.How to test the changes?
(Select all options that apply)
License