Invalid OAuth Token from Chrome App Heartbeat

[iamgeef]

All of our devices have started to show 'This device is not enrolled' error, despite previously being enrolled.

We used to get the issue sporadically, with no clue as to what was causing it as it was very random, but now it's very much permanent, preventing us from using the system.

I'm wondering if it's caused by exceeded a maximum number of granted (live) refresh tokens as referenced here: https://developers.google.com/identity/protocols/OAuth2#expiration, and if there's any system built in to resolve that?

Checking the Logs for the Chrome Endpoint, I can see that the heartbeat is returning a 401 back with:

2018-11-02 14:09:19.857 AEDT
Unable to get authorized scopes. (/base/data/home/apps/f~<APPNAME>/chrome:mcshaneg-20181102.413691614035746910/external/endpoints_archive/endpoints/users_id_token.py:371)
Traceback (most recent call last):
  File "/base/data/home/apps/f~<APPNAME>/chrome:mcshaneg-20181102.413691614035746910/external/endpoints_archive/endpoints/users_id_token.py", line 369, in _set_bearer_user_vars
    authorized_scopes = oauth.get_authorized_scopes(sorted(all_scopes))
  File "/base/alloc/tmpfs/dynamic_runtimes/python27g/3b44e98ed7fbb86b/python27/python27_lib/versions/1/google/appengine/api/oauth/oauth_api.py", line 171, in get_authorized_scopes
    _maybe_call_get_oauth_user(scope)
  File "/base/alloc/tmpfs/dynamic_runtimes/python27g/3b44e98ed7fbb86b/python27/python27_lib/versions/1/google/appengine/api/oauth/oauth_api.py", line 220, in _maybe_call_get_oauth_user
    _maybe_raise_exception()
  File "/base/alloc/tmpfs/dynamic_runtimes/python27g/3b44e98ed7fbb86b/python27/python27_lib/versions/1/google/appengine/api/oauth/oauth_api.py", line 239, in _maybe_raise_exception
    raise InvalidOAuthTokenError(error_detail)
InvalidOAuthTokenError

I was previously seeing this intermittently - , I thought perhaps it was caused by returning a loan and starting a new loan too quickly but now it's constant.

I have tried:

Different Chromebooks, different users, factory reset of Chromebook(s), un-enroll and re-enroll in grab-n-go, hotspot to make sure it's not a network issue, leaving it alone for 24 hours, deploying a new version to app engine (albeit with no code changes made).
The only thing I'm yet to try is deploying a new version of the Chrome App, creating a new OAuth client, and sacrificing a goat.

Interestingly during one of my tests the heartbeat actually worked one time as it updated the Device to show that it was assigned to my user, even though the chrome app on the device kept saying 'Device not enrolled' but I haven't seen it since.

[githerbert]

@iamgeef Did you ever get this resolved? I think I am encountering the same issue.

[ericwhiteau]

I installed and ran a demo project in September, successfully.
I deleted the project but left the gSuite components in place.

I have now tried to rebuild the GCP project and deploy. Connecting to the same gSuite configuration.

The backend is working as expected. Recreated the chromebooks in the loan system.
Deployed new oauth keys etc. web_app is working.
Chrome app doesn't think it is registered. (see screen shot)

Logs have the same message as indicated above invalid tokens.

Unable to get authorized scopes. (/base/data/home/apps/f~[[projectID]]/chrome:root-20181205.414461687226952207/external/endpoints_archive/endpoints/users_id_token.py:371)
Traceback (most recent call last):
File "/base/data/home/apps/f~[[projectID]]/chrome:root-20181205.414461687226952207/external/endpoints_archive/endpoints/users_id_token.py", line 369, in _set_bearer_user_vars
authorized_scopes = oauth.get_authorized_scopes(sorted(all_scopes))
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/d22767677e9aa897/python27/python27_lib/versions/1/google/appengine/api/oauth/oauth_api.py", line 172, in get_authorized_scopes
_maybe_call_get_oauth_user(scope)
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/d22767677e9aa897/python27/python27_lib/versions/1/google/appengine/api/oauth/oauth_api.py", line 221, in _maybe_call_get_oauth_user
_maybe_raise_exception()
File "/base/alloc/tmpfs/dynamic_runtimes/python27g/d22767677e9aa897/python27/python27_lib/versions/1/google/appengine/api/oauth/oauth_api.py", line 240, in _maybe_raise_exception
raise InvalidOAuthTokenError(error_detail)
InvalidOAuthTokenError

---

Device ID and serial number all check out in console logs.

[ericwhiteau]

Note: I have rebuilt and redeployed the chrome app with new keys twice. It doesn't seem to be that.
PS: Set logging to be True in shared/config.ts
Not sure I see anything different in stackdriver

[ericwhiteau]

There is also the following warning. But I cant recall if that was there previously.

multistore_file.py:62
The oauth2client.contrib.multistore_file module has been deprecated and will be removed in the next release of oauth2client. Please migrate to multiprocess_file_storage.
request_id: "5c08b5f400ff0d534af1636bae0001667e6469616c6f67677261626e676f0001726f6f742d3230313831323035000100"
timestamp: "2018-12-06T05:39:03.229Z"
location: "/base/data/home/apps/f~[projectID]/root-20181205.414461667803272195/external/oauth2client_archive/oauth2client/contrib/multistore_file.py:62"