New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exchange SSO refresh token for access token API call results in an HTTP 500 Error #2594
Comments
Can you please provide recreate steps? Be as specific as possible, if you can recreate with a |
Sorry @robotdan I totally missed your original response here. Here's the curl command:
I am happy to provide you with the secret details somewhere privately. Response from cURL |
I realize this is not much more info than I provided, but I also don't want to leak our secret keys or my refresh key. As I mentioned, if I put in a garbage string for refresh key, it will say |
@tomzorz Hmmm. sorry to hear this. I have tried to replicate this on the sandbox.fusionauth.io environment, which is running 1.48.3, and was unable to. I did the following:
Additional questions that will help us troubleshoot:
Again, sorry this is an issue. We'll need some help from you to troubleshoot this further. |
Every single time with every request.
No.
We're using a deployment managed by FA, I guess it's a "prod" environment in that way.
Our deployed version is at 1.46.0, I haven't seen any related issues in the changelog since (although admittedly we should probably update)
OAuth code grant.
We see errors when other errors occur, there are no log events for this error though. I finally noticed this in the "raw" system logs (stacktrace shortened for brevity):
It occurs every time, for every user as far as I can tell.
Fixed expiration policy, 2 weeks (20160 minutes), one-time use, revocation on action preventing login & password change.
I can't. I also created a PoC replica of the calls with your python library we're using for the sandbox env, couldn't replicate it there either. I made sure to match the sandbox environment as close as I could get it to ours. I am also using the exact same python calls. |
Hmmm. I stood up a 1.46.0 local server and tried to replicate this. I was unable to do so.
Was this PoC using 1.46.0?
|
The PoC script used our logic to target our 1.46 env, and then I switched it out to the sandbox 1.48.3 one - essentially to test and make sure the issue isn't somewhere in the python library or something. But yeah, couldn't replicate in the sandbox, only in ours. I guess I'll try updating to 1.48.3 and see if that helps. As far as I know, we didn't make any configuration or code changes... but also we haven't been reliably using the exchange refresh token feature in recent time so I am not sure when it might've broke. I remember initially when we implemented it, it worked. And then at some point in the past ~8 months it broke. |
Okay. Please let us know what happens with the 1.48.3 update and we can discuss next steps. |
@mooreds I have upgraded to 1.48.3 and the issue still persists the same way. Stacktrace looks similar:
I have also expanded my test script a little to verify that we do properly save and restore the refresh token from the client - the retrieve refresh tokens endpoint gives me back the same one from the session: I also tried out the other "exchange refresh token for jwt" call, that just returns a completely empty 404 and there isn't even anything in the regular log or the event log. |
Okay, I have replicated the issue. We need to fix this, but for now I'd recommend filtering any refresh tokens you get and removing any that don't have an application Id. Refresh tokens that don't have an application Id are for internal use only (they represent our SSO session) and shouldn't be presented to the /oauth2/token endpoint. I updated the documentation ( FusionAuth/fusionauth-site#2836 ). Please try that and let me know if you still see the issue. |
Hmm, okay I'll try and see what tokens do we have / get. |
The root issue appears to be that you are using an SSO token - which is a special kind of refresh token. The correct behavior of the API should be to fail with a validation error indicate the token was not found. |
Okay so looks like our logic right now takes first token from the "get refresh tokens" API and uses that after we succeed with the "exchange oauth code for access token with pkce" call. I imagine this is where we mess up currently. Is there a reason btw why these "internal" refresh tokens are included in the "get refresh tokens" call? If I/we can't use these for anything? |
You might want to revoke them or otherwise examine them. See FusionAuth/fusionauth-site#2836 (comment) from @robotdan . |
Ok so one more question, is there some setting we might not have turned on to get these "proper" refresh tokens? I just did a query in our logs and in the last 90 days we barely have any results where we do actually have one: I just did multiple logins on my own account, always had "keep me logged in" turned on - and yet no applicable refresh tokens in our logs today. (To note, this API is called every time when someone logs in.) |
"keep me logged in" is for SSO refresh tokens (the ones you should avoid) the other one requires you request the |
Ohhhh, okay. TIL :) I think I just made the connection in my head, what the difference is exactly and why it is the way it is. Although I will say, as an end-user I would imagine that checkbox do what I thought we were doing :) |
I hear you! We need more 201 level content. Sorry for the confusion! |
All good, I have def needed to learn more too. Also side-question: is there a way then for us to add a "keep me logged in" option that does what we thought the current one does? Or do we have to set the scopes early, and even before redirecting to the flow have the option set for the user whether they want it or not? |
Will be fixed in |
If I understand the question... you are asking how to maintain state in your app - outside of the FusionAuth SSO? Checking the box "keep me logged in" will just cause us to create an SSO session. This has a configured TTL. If you want to use tokens in your own app to maintain user state, and you want to use a refresh token for that purpose - then you'd ask for the |
@tomzorz and to add what @robotdan said, this seems like it is veering away from "reporting a bug" toward "asking for support" :) . The best way for you to get support is to either:
More on technical support here: https://fusionauth.io/docs/operate/troubleshooting/technical-support |
Exchange SSO refresh token for access token API call results in an HTTP 500 Error
Description
I'm trying to call the "exchange refresh token for access token" API, and I'm getting an HTTP 500 error. This API has worked in the past. I know if I provide it a random string for refresh token, it will complain it wasn't a proper token - so the code does run partially. But otherwise I get no information back besides
'{"fieldErrors":{},"generalErrors":[{"code":"[Exception]","message":"FusionAuth encountered an unexpected error. Please review the troubleshooting guide found in the documentation for assistance and the available support channels."}]}'
. I don't even see the error in the logs of our instance.Affects versions
1.46.0, 1.48.3.
Steps to reproduce
Original steps to reproduce
Invoke the API with a valid refresh token.
Expected behavior
We get an access token.
Screenshots
Nothing useful.
Platform
Community guidelines
Release notes
Improved validation and error messaging when calling the
/oauth2/token
endpoint with an incorrect refresh token.The text was updated successfully, but these errors were encountered: