Handle invalid access tokens in token exchange #1822
Conversation
zzooeeyy
force-pushed
the
handle-invalid-access-token
branch
from
f5f33bf
to
01c0995
Compare
zzooeeyy
changed the title
|
We'll create an API wrapper and handle errors differently, so I'm moving this back to draft. |
rachel-carvalho
force-pushed
the
handle-invalid-access-token
branch
from
0caec9b
to
6c8e444
Compare
|
We decided to keep retrying in the with_token_refetch(@session, @session_token) do
# Admin API call here
end |
|
The tests that execute the new |
docs/shopify_app/sessions.md
Outdated
| @@ -203,6 +204,64 @@ user.with_shopify_session do | |||
| end | |||
| ``` | |||
|
|
|||
| #### Re-fetching an access token when API returns Unauthorized | |||
There was a problem hiding this comment.
I added this section to the sessions doc to document usage cc @zzooeeyy @paulomarg
rachel-carvalho
force-pushed
the
handle-invalid-access-token
branch
from
beb3b6c
to
f2998d0
Compare
docs/shopify_app/sessions.md
Outdated
|
|
||
| def index | ||
| client = ShopifyAPI::Clients::Graphql::Admin.new(session: current_shopify_session) | ||
| with_token_refetch(current_shopify_session, session_token) do # Unauthorized errors raised in this block will initiate token exchange and the block will be retried once |
There was a problem hiding this comment.
hmm looking at the example here, do you think it might be confusing to devs on the difference between current_shopify_session and session_token? There are so many cases where we just use "session" to describe something, should we rename (in the actual method implementation as well) session_token to be like session_jwt_token to be more explicit on which one we're talking about?
There was a problem hiding this comment.
Yeah I agree it's very confusing. I noticed we call it id_token in the URL and also in App Bridge, so I'm leaning towards shopify_id_token here to keep consistence, especially because those are the two sources of the token we're using here.
There was a problem hiding this comment.
While I think that's good, we also use the phrase session token in quite a few places (docs, etc), even though it's really an id token. We'd probably want to be consistent with that, right?
There was a problem hiding this comment.
I was chatting with @ragalie about this to get a better understanding of session token vs ID token, and what I got is that this session token is a type of id token, which is part of the Open ID spec and is supposed to be a claim by the server about a user's identity. session token is Shopify's claim about the current user that's logged in, it's an ID token and it's in JWT format.
I do agree that we need to make it clear that id_token in some places and session_token in others means the same thing, just like session in the context of the libraries usually means access_token.
rachel-carvalho
force-pushed
the
handle-invalid-access-token
branch
from
2e3952f
to
f94727f
Compare
…ange concern Co-authored-by: Rachel Carvalho <rachel.carvalho@shopify.com>
rachel-carvalho
force-pushed
the
handle-invalid-access-token
branch
from
fae7175
to
0ddf652
Compare
| ShopifyApp::Auth::TokenExchange.perform(shopify_id_token) | ||
| # TODO: Rescue JWT validation errors when bounce page is ready |
There was a problem hiding this comment.
I assume this TODO also covers requests where no id token is present?
📹 Demo video
What this PR does
around_actionin token exchange concernactivate_shopfiy_session.ShopifyApp::Auth::TokenExchange.perform(session_token)ShopifyApp::AdminAPI::WithTokenRefetchmodule with a method to allow easy token refetch/retry on Unauthorized errorsSo developers handling their own errors can still have their access tokens refetched:
Checklist
Before submitting the PR, please consider if any of the following are needed:
CHANGELOG.mdif the changes would impact usersREADME.md, if appropriate./docs, if necessary