You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,502] [DEBUG] [satosa.proxy_server]: unpack_post:: {'grant_type': 'refresh_token', 'refresh_token': '<refresh-token>', 'client_id': '<client-id>'}
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,502] [DEBUG] [satosa.proxy_server]: read request data: {'grant_type': 'refresh_token', 'refresh_token': '<refresh-token>', 'client_id': '<client-id>'}
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [INFO] [satosa.base]: [urn:uuid:<session id>] Loaded state {'SESSION_ID': 'urn:uuid:<session id>'} from cookie
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [DEBUG] [satosa.routing]: [urn:uuid:<session id>] Routing path: oidc/token
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [DEBUG] [satosa.routing]: [urn:uuid:<session id>] Unknown backend oidc
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [DEBUG] [satosa.routing]: [urn:uuid:<session id>] Found registered endpoint: module name:'oidc', endpoint: oidc/token
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,503] [DEBUG] [pyop.client_authentication]: client authentication in request body {'grant_type': 'refresh_token', 'refresh_token': '<refresh-token>', 'client_id': '<client-id>'}
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,511] [ERROR] [satosa.base]: [urn:uuid:<session id>] Uncaught exception
10/25/2022 3:36:31 PMTraceback (most recent call last):
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 240, in run
10/25/2022 3:36:31 PM resp = self._run_bound_endpoint(context, spec)
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 180, in _run_bound_endpoint
10/25/2022 3:36:31 PM return spec(context)
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/satosa/frontends/openid_connect.py", line 356, in token_endpoint
10/25/2022 3:36:31 PM response = self.provider.handle_token_request(
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/pyop/provider.py", line 354, in handle_token_request
10/25/2022 3:36:31 PM return self._do_token_refresh(token_request)
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/pyop/provider.py", line 490, in _do_token_refresh
10/25/2022 3:36:31 PM access_token, refresh_token = self.authz_state.use_refresh_token(token_request['refresh_token'],
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/pyop/authz_state.py", line 266, in use_refresh_token
10/25/2022 3:36:31 PM authz_info = self.access_tokens[refresh_token_info['access_token']]
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/pyop/storage.py", line 156, in __getitem__
10/25/2022 3:36:31 PM raise KeyError(key)
10/25/2022 3:36:31 PMKeyError: '<access token>'
10/25/2022 3:36:31 PM[2022-10-25 15:36:31,512] [ERROR] [satosa.proxy_server]: Unknown error
10/25/2022 3:36:31 PMTraceback (most recent call last):
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 240, in run
10/25/2022 3:36:31 PM resp = self._run_bound_endpoint(context, spec)
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 180, in _run_bound_endpoint
10/25/2022 3:36:31 PM return spec(context)
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/satosa/frontends/openid_connect.py", line 356, in token_endpoint
10/25/2022 3:36:31 PM response = self.provider.handle_token_request(
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/pyop/provider.py", line 354, in handle_token_request
10/25/2022 3:36:31 PM return self._do_token_refresh(token_request)
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/pyop/provider.py", line 490, in _do_token_refresh
10/25/2022 3:36:31 PM access_token, refresh_token = self.authz_state.use_refresh_token(token_request['refresh_token'],
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/pyop/authz_state.py", line 266, in use_refresh_token
10/25/2022 3:36:31 PM authz_info = self.access_tokens[refresh_token_info['access_token']]
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/pyop/storage.py", line 156, in __getitem__
10/25/2022 3:36:31 PM raise KeyError(key)
10/25/2022 3:36:31 PMKeyError: '<access token>'
10/25/2022 3:36:31 PM
10/25/2022 3:36:31 PMThe above exception was the direct cause of the following exception:
10/25/2022 3:36:31 PM
10/25/2022 3:36:31 PMTraceback (most recent call last):
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/satosa/proxy_server.py", line 148, in __call__
10/25/2022 3:36:31 PM resp = self.run(context)
10/25/2022 3:36:31 PM File "/usr/local/lib/python3.8/site-packages/satosa/base.py", line 258, in run
10/25/2022 3:36:31 PM raise SATOSAUnknownError("Unknown error") from err
10/25/2022 3:36:31 PMsatosa.exception.SATOSAUnknownError: Unknown error
We're running satosa with access token lifetimes of 10mins and refresh token lifetimes of 24hrs. Looking at the code, it looks like it's trying to load an access token that was already deleted by mongo.
Any ideas on how this is supposed to work? Thanks!
The text was updated successfully, but these errors were encountered:
it looks like it's trying to load an access token that was already deleted by mongo
This seems to be the case. An access token will be deleted from the database when logout is performed. During refresh, the access token that is linked to the refresh token, is looked up in order to get the granted scopes and other information. This information is used to create a new access token. Then the new access token replaces old access token linked from the refresh token.
Either the dependency of the refresh token on the access token to get information should break, and allow the refresh token to be independent from the linked access token, or the access tokens shouldn't be deleted but revoked/deactivated when logout is performed. Probably the former is easier and better (separating concerns).
While I don't think it's super hard to implement either of the solutions, development on pyop has stopped and focus has moved towards idpy-oidc. Pyop is considered deprecated but PRs are accepted and we will do our best to fix security issues until this repo is finally archived.
At the moment, satosa doesn't bundle a frontend based on idpy-oidc but there is SATOSA-oidcop developed by a community member and there is another one developed by eduTEAMS that has not yet been open-sourced (but will soon be, hopefully).
When I post to
/oidc/token
with:I get:
We're running satosa with access token lifetimes of 10mins and refresh token lifetimes of 24hrs. Looking at the code, it looks like it's trying to load an access token that was already deleted by mongo.
Any ideas on how this is supposed to work? Thanks!
The text was updated successfully, but these errors were encountered: