Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

500 error when grant_type=refresh_token #43

Open
gabor-lbl opened this issue Oct 26, 2022 · 1 comment
Open

500 error when grant_type=refresh_token #43

gabor-lbl opened this issue Oct 26, 2022 · 1 comment

Comments

@gabor-lbl
Copy link

When I post to /oidc/token with:

grant_type: refresh_token
refresh_token: <refresh token>
client_id: <client id>

I get:

10/25/2022 3:36:31 PM[2022-10-25 15:36:31,502] [DEBUG] [satosa.proxy_server]: unpack_post:: {'grant_type': 'refresh_token', 'refresh_token': '<refresh-token>', 'client_id': '<client-id>'}
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,502] [DEBUG] [satosa.proxy_server]: read request data: {'grant_type': 'refresh_token', 'refresh_token': '<refresh-token>', 'client_id': '<client-id>'}
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [INFO] [satosa.base]: [urn:uuid:<session id>] Loaded state {'SESSION_ID': 'urn:uuid:<session id>'} from cookie
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [DEBUG] [satosa.routing]: [urn:uuid:<session id>] Routing path: oidc/token
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [DEBUG] [satosa.routing]: [urn:uuid:<session id>] Unknown backend oidc
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [DEBUG] [satosa.routing]: [urn:uuid:<session id>] Found registered endpoint: module name:'oidc', endpoint: oidc/token
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [DEBUG] [pyop.client_authentication]: client authentication in request body {'grant_type': 'refresh_token', 'refresh_token': '<refresh-token>', 'client_id': '<client-id>'}
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,511] [ERROR] [satosa.base]: [urn:uuid:<session id>] Uncaught exception
10/25/2022 3:36:31 PMTraceback (most recent call last):
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 240, in run
10/25/2022 3:36:31 PM    resp = self._run_bound_endpoint(context, spec)
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 180, in _run_bound_endpoint
10/25/2022 3:36:31 PM    return spec(context)
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/satosa/frontends/openid_connect.py", line 356, in token_endpoint
10/25/2022 3:36:31 PM    response = self.provider.handle_token_request(
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/pyop/provider.py", line 354, in handle_token_request
10/25/2022 3:36:31 PM    return self._do_token_refresh(token_request)
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/pyop/provider.py", line 490, in _do_token_refresh
10/25/2022 3:36:31 PM    access_token, refresh_token = self.authz_state.use_refresh_token(token_request['refresh_token'],
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/pyop/authz_state.py", line 266, in use_refresh_token
10/25/2022 3:36:31 PM    authz_info = self.access_tokens[refresh_token_info['access_token']]
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/pyop/storage.py", line 156, in __getitem__
10/25/2022 3:36:31 PM    raise KeyError(key)
10/25/2022 3:36:31 PMKeyError: '<access token>'
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,512] [ERROR] [satosa.proxy_server]: Unknown error
10/25/2022 3:36:31 PMTraceback (most recent call last):
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 240, in run
10/25/2022 3:36:31 PM    resp = self._run_bound_endpoint(context, spec)
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 180, in _run_bound_endpoint
10/25/2022 3:36:31 PM    return spec(context)
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/satosa/frontends/openid_connect.py", line 356, in token_endpoint
10/25/2022 3:36:31 PM    response = self.provider.handle_token_request(
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/pyop/provider.py", line 354, in handle_token_request
10/25/2022 3:36:31 PM    return self._do_token_refresh(token_request)
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/pyop/provider.py", line 490, in _do_token_refresh
10/25/2022 3:36:31 PM    access_token, refresh_token = self.authz_state.use_refresh_token(token_request['refresh_token'],
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/pyop/authz_state.py", line 266, in use_refresh_token
10/25/2022 3:36:31 PM    authz_info = self.access_tokens[refresh_token_info['access_token']]
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/pyop/storage.py", line 156, in __getitem__
10/25/2022 3:36:31 PM    raise KeyError(key)
10/25/2022 3:36:31 PMKeyError: '<access token>'
10/25/2022 3:36:31 PM
10/25/2022 3:36:31 PMThe above exception was the direct cause of the following exception:
10/25/2022 3:36:31 PM
10/25/2022 3:36:31 PMTraceback (most recent call last):
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/satosa/proxy_server.py", line 148, in __call__
10/25/2022 3:36:31 PM    resp = self.run(context)
10/25/2022 3:36:31 PM  File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 258, in run
10/25/2022 3:36:31 PM    raise SATOSAUnknownError("Unknown error") from err
10/25/2022 3:36:31 PMsatosa.exception.SATOSAUnknownError: Unknown error

We're running satosa with access token lifetimes of 10mins and refresh token lifetimes of 24hrs. Looking at the code, it looks like it's trying to load an access token that was already deleted by mongo.

Any ideas on how this is supposed to work? Thanks!

@c00kiemon5ter
Copy link
Member

Hello @gabor-lbl

it looks like it's trying to load an access token that was already deleted by mongo

This seems to be the case. An access token will be deleted from the database when logout is performed. During refresh, the access token that is linked to the refresh token, is looked up in order to get the granted scopes and other information. This information is used to create a new access token. Then the new access token replaces old access token linked from the refresh token.

Either the dependency of the refresh token on the access token to get information should break, and allow the refresh token to be independent from the linked access token, or the access tokens shouldn't be deleted but revoked/deactivated when logout is performed. Probably the former is easier and better (separating concerns).

While I don't think it's super hard to implement either of the solutions, development on pyop has stopped and focus has moved towards idpy-oidc. Pyop is considered deprecated but PRs are accepted and we will do our best to fix security issues until this repo is finally archived.

At the moment, satosa doesn't bundle a frontend based on idpy-oidc but there is SATOSA-oidcop developed by a community member and there is another one developed by eduTEAMS that has not yet been open-sourced (but will soon be, hopefully).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants