-
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failures refreshing OAuth tokens #91
Comments
I should note that even though there is a failure to refresh (and admins are notified of the failure), the farm does not end up unauthorized in the Aggregator. This is because in these cases there is at least one successful refresh that happens...which populates the aggregator DB with a valid token. |
I've implemented a lock with the Python Requests that are made while another thread is refreshing wait for the lock to be made available before loading the latest tokens and continuing on to creating their own client. These logs describe what happens:
|
Ah great! That makes perfect sense @paul121 ! Great work! I've deployed this change, so let's see if those errors clear up. I'll close this, but we can reopen if necessary (or if you think it needs to stay open for any reason). |
We've still been seeing these alert emails from time to time, so reopening this. |
@paul121 and I did some deep dives into the logs yesterday to try to find clues. Made some progress but still haven't been able to replicate the issue ourselves. Here's what we found: In looking at the Aggregator's For example:
But, this does not happen consistently. Most of the time there is no issue. And we are still unable to replicate it consistently. We tested sending batches of requests to the same endpoints via the browser console with the following code (courtesy of @paul121):
Notably... when we look at the farmOS server logs after that we always see 2 requests being made to Here are the logs:
As an aside, the logs show that farmOS.py is also making requests to |
We also wondered if maybe this issue (which we ran into earlier) could be related: https://www.drupal.org/project/oauth2_server/issues/2859214 I don't think it is... but worth linking to it here in case we need to reassess it. My understanding is that the only issue with that is sometimes the |
Lets try this again... With the above test sending multiple requests instantaneously using
After these changes I no longer see multiple |
Unfortunately we're still experiencing this issue after the latest changes, although it does seem to happen less frequently than before. Since this isn't breaking functionality with the 3rd party, we haven't considered this a critical issue. The client code could handle the error and make the request again. I'm curious if this bug will be present once we start integrating farmOS 2x servers. Since we have a new OAuth backend, there is a decent chance this issue could go away... and/or create new issues :-) More info in #98 |
Update: We are still seeing this issue occasionally with the That indicates that it's an issue with the Aggregator and not with the farmOS server (since the OAuth server code from farmOS 1.x to 2.x is completely different). So we can put this wonder to rest:
|
Some attempts to refresh OAuth tokens on the farmOS server are failing, but only when there are two back-to-back attempts to refresh using the same
refresh_token
.It's unclear how often this happens, but some of the time the second request fails (as expected) because the
refresh_token
has already been used. Other times both requests succeed, which shouldn't happen. This is likely due to how the farmOS server (and underlyingoauth2_server
module) handle the request to refresh tokens.The larger issue, though, is that there are two attempts to refresh tokens. One thought is that when instantiating farmOS.py it makes multiple requests to the server (to get a CSRF token) and later process the request (and both of these might try to refresh a token before hand) but these are handled synchronously so I don't believe this is causing the problem.
I think it's likely that if multiple requests come to the aggregator requesting data from the same farmOS server, after an access token has expired (every hour under sustained use), then there could sometimes be multiple attempts to refresh the same token.
The text was updated successfully, but these errors were encountered: