Skip to content
This repository has been archived by the owner on Dec 1, 2018. It is now read-only.

Error refreshing token: (invalid_scope) Bad Request #86

Closed
jayme-github opened this issue Oct 21, 2016 · 5 comments
Closed

Error refreshing token: (invalid_scope) Bad Request #86

jayme-github opened this issue Oct 21, 2016 · 5 comments
Labels
bug
Milestone
0.14.0

Comments

@jayme-github
Copy link
Contributor

Just got the following error while creating an HTTPClient instance:

2016-10-21 09:03:10,344 (requests_oauthlib.oauth2_session.request) [DEBUG] Invoking 0 protected resource request hooks.
2016-10-21 09:03:10,344 (requests_oauthlib.oauth2_session.request) [DEBUG] Adding token {'access_token': 'secretToken', 'token_type': 'Bearer', 'expires_in': '3600', 'refresh_token': u'refreshToken'} to request.
2016-10-21 09:03:10,345 (requests_oauthlib.oauth2_session.request) [DEBUG] Requesting url https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=secretToken using method GET.
2016-10-21 09:03:10,345 (requests_oauthlib.oauth2_session.request) [DEBUG] Supplying headers {u'Authorization': u'Bearer secretToken'} and data None
2016-10-21 09:03:10,345 (requests_oauthlib.oauth2_session.request) [DEBUG] Passing through key word arguments {'allow_redirects': True}.
2016-10-21 09:03:10,351 (requests.packages.urllib3.connectionpool._new_conn) [INFO] Starting new HTTPS connection (1): www.googleapis.com
2016-10-21 09:03:10,602 (requests.packages.urllib3.connectionpool._make_request) [DEBUG] "GET /oauth2/v1/tokeninfo?access_token=secretToken HTTP/1.1" 400 None
2016-10-21 09:03:10,605 (requests_oauthlib.oauth2_session.refresh_token) [DEBUG] Adding auto refresh key word arguments {}.
2016-10-21 09:03:10,606 (requests_oauthlib.oauth2_session.refresh_token) [DEBUG] Prepared refresh token request body grant_type=refresh_token&client_secret=clientSecret&client_id=clientId.apps.googleusercontent.com&refresh_token=refreshToken&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.me
2016-10-21 09:03:10,606 (requests_oauthlib.oauth2_session.request) [DEBUG] Requesting url https://www.googleapis.com/oauth2/v4/token using method POST.
2016-10-21 09:03:10,606 (requests_oauthlib.oauth2_session.request) [DEBUG] Supplying headers {u'Content-Type': u'application/x-www-form-urlencoded;charset=UTF-8', u'Accept': u'application/json'} and data {u'client_secret': u'clientSecret', u'grant_type': u'refresh_token', u'refresh_token': u'refreshToken', u'client_id': u'clientId.apps.googleusercontent.com', u'scope': u'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/plus.me'}
2016-10-21 09:03:10,606 (requests_oauthlib.oauth2_session.request) [DEBUG] Passing through key word arguments {'verify': True, 'json': None, 'proxies': None, 'auth': None, 'timeout': None}.
2016-10-21 09:03:10,818 (requests.packages.urllib3.connectionpool._make_request) [DEBUG] "POST /oauth2/v4/token HTTP/1.1" 400 None
2016-10-21 09:03:10,819 (requests_oauthlib.oauth2_session.refresh_token) [DEBUG] Request to refresh token completed with status 400.
2016-10-21 09:03:10,819 (requests_oauthlib.oauth2_session.refresh_token) [DEBUG] Response headers were {'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Encoding': 'gzip', 'Transfer-Encoding': 'chunked', 'Expires': 'Fri, 21 Oct 2016 07:03:10 GMT', 'Vary': 'Origin, X-Origin', 'Server': 'GSE', 'Cache-Control': 'private, max-age=0', 'Date': 'Fri, 21 Oct 2016 07:03:10 GMT', 'X-Frame-Options': 'SAMEORIGIN', 'Alt-Svc': 'quic=":443"; ma=2592000; v="36,35,34,33,32"', 'Content-Type': 'application/json; charset=UTF-8'} and content {
 "error": "invalid_scope",
 "error_description": "Bad Request",
 "error_uri": ""
}

2016-10-21 09:03:10,819 (requests_oauthlib.oauth2_session.refresh_token) [DEBUG] Invoking 0 token response hooks.
Traceback (most recent call last):
  File ".pythonrc.py", line 29, in <module>
    api.session.verify = session_verify
  File "/home/jayme-github/code/pykube/pykube/http.py", line 41, in session
    self._session = build_session(self.config, self.gcloud_file)
  File "/home/jayme-github/code/pykube/pykube/session.py", line 23, in build_session
    s = _session_object("gcp", config, gcloud_file)
  File "/home/jayme-github/code/pykube/pykube/session.py", line 47, in _session_object
    return GCPSession(config, gcloud_file).create()
  File "/home/jayme-github/code/pykube/pykube/session.py", line 120, in create
    self._update_token()
  File "/home/jayme-github/code/pykube/pykube/session.py", line 131, in _update_token
    refresh_token=self.credentials.get('refresh_token'))
  File "/home/jayme-github/.virtualenvs/pykube/local/lib/python2.7/site-packages/requests_oauthlib/oauth2_session.py", line 309, in refresh_token
    self.token = self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/home/jayme-github/.virtualenvs/pykube/local/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 409, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/home/jayme-github/.virtualenvs/pykube/local/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 376, in parse_token_response
    validate_token_parameters(params)
  File "/home/jayme-github/.virtualenvs/pykube/local/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 383, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/home/jayme-github/.virtualenvs/pykube/local/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 325, in raise_from_error
    raise cls(**kwargs)
oauthlib.oauth2.rfc6749.errors.InvalidScopeError: (invalid_scope) Bad Request

Everything is fine again after running one kubectl command (e.g. refreshing the token).
@brosner
Copy link
Contributor

brosner commented Oct 21, 2016

I have come across the same error during my testing. This is a blocker for 0.14.0 in my mind. The scopes requested by pykube seem overly excessive. My next step is to investigate what kubectl requests and match it in pykube.

@brosner brosner added this to the 0.14.0 milestone Oct 21, 2016
@brosner brosner added the bug label Oct 21, 2016
brosner added a commit that referenced this issue Oct 25, 2016
@brosner
Fixed GCP token scope to match what kubectl asks for
33b2511 
Refs #86
@brosner
Copy link
Contributor

brosner commented Oct 25, 2016

@jayme-github I have pushed a change to the token scope which is in-line with what kubectl asks for. I think it is a more reasonable scope for service accounts too.

Can you give master a try and see if it works for you now?

@jayme-github
Copy link
Contributor Author

Can you give master a try and see if it works for you now?

Look good to me (I did not test with service-account).

@brosner
Copy link
Contributor

brosner commented Oct 26, 2016

Excellent. Before closing this I will do a service account test.

@brosner
Copy link
Contributor

brosner commented Oct 26, 2016

Confirmed working.

@brosner brosner closed this as completed Oct 26, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
0.14.0
Development

No branches or pull requests
2 participants
@brosner @jayme-github