MbinOrg
Oauth refresh token not working as expected
Describe the bug Several users and I have noticed while using the Interstellar app that every few days (it seems to vary in how frequently it happens), the OAuth authorization returns refresh token errors. See this issue for context: https://github.com/jwr1/interstellar/issues/84. I have verified that the access token is correctly being refreshed by Interstellar (by triggering a manual refresh of the access token), and the only thing left I can think of is that somehow Mbin is expiring or revoking refresh tokens, causing Interstellar users to need to authenticate all over again (possibly several times in a week). Access tokens are expected to expire frequently, but refresh tokens should not be expiring (which is what seems to be happening).
On which Mbin instance did you find the bug? kbin.earth
Which Mbin version was running on the instance? 1.8.1
To Reproduce It's difficult to reproduce, but as the issue (https://github.com/jwr1/interstellar/issues/84) mentions, if you login on Interstellar, it's possible it will happen after a few days (or a week or so).
Expected behavior I would expect the refresh token not to expire (if that's even really what's happening).
According to our config: https://github.com/MbinOrg/mbin/blob/main/config/packages/league_oauth2_server.yaml#L7 And their documentation: https://github.com/thephpleague/oauth2-server-bundle/blob/master/docs/index.md The refresh token has a validity of one month. Could you maybe get a new refresh token when receiving a new access token? Maybe it is not included, I have no idea
Hmm according to this: https://oauth2.thephpleague.com/authorization-server/refresh-token-grant/ you should receive the refresh token there. Whether it is a new one or the old one I have no idea...
And their documentation: https://github.com/thephpleague/oauth2-server-bundle/blob/master/docs/index.md
I also notice this setting, it will revoke refresh tokens after they were used for all grant types? Not even sure what that means, but its by default true:
# Whether to revoke refresh tokens after they were used for all grant types (default to true)
revoke_refresh_tokens: true
I mean it is useful if you get a new refresh token from the same request... But only then :D
Ps. I also would want to add is clearing cache like Symfony cache & Redis/Valkey could potentially also impact valid sessions / tokens (although sessions are now stored in the sessions table, and oauth have its own oauth2_access_token tables etc.).
Do you see a relation between Mbin upgrades and users losing access for example?
EDIT: And I also want to add, are you sure you have the full scope again during refresh token request? So the scope is the same? And are you sure you are in fact using the latest refresh token in the app?
Ow and the refresh tokens are stored in the table oauth2_refresh_token. Just for info.
Do you see a relation between Mbin upgrades and users losing access for example?
Not that I can tell. I just cleared kbin.earth cache (and restarted services) and was able to connect with the app just fine.
And I also want to add, are you sure you have the full scope again during refresh token request? So the scope is the same? And are you sure you are in fact using the latest refresh token in the app?
I'm using the oauth2 package which handles all of this. The way it works is that I store a payload that contains the access token, refresh token, the token endpoint, the scopes I initially used, and the expiration and I pass all this to the library. Once the access token expiration passes, the library automatically hits the token endpoint and I store the renewed access token and refresh token. So, yes to all those questions.
I'll just point out, it is certainly working. I was able to open Interstellar today, and I saw the log where the Oauth client automatically refreshed, and the app kept working as usual. It just seems to be an every once in a while thing where the refresh token is somehow outdated or expired or something else.
According to our config:
main/config/packages/league_oauth2_server.yaml#L7 And their documentation: thephpleague/oauth2-server-bundle@master/docs/index.md The refresh token has a validity of one month. Could you maybe get a new refresh token when receiving a new access token? Maybe it is not included, I have no idea
Thank you for linking this. I'm guessing the 1 month expiration isn't the cause of the problem. I did some quick research (on oauth), and each time the access token is refreshed, a new refresh token is also provided (and the old one is revoked). The oauth library Interstellar is using does already take care of this though (switching out access and refresh tokens when needed).
It could be an issue if someone didn't use the app for 1 month, but that's not what we're running into currently.
@jwr1 it this still happening occasionally? If so, maybe #1789 will resolve it as we are jumping to a new major version there :)
@jwr1 it this still happening occasionally? If so, maybe #1789 will resolve it as we are jumping to a new major version there :)
Yes it does happen still. See the latest comments on the other issue https://github.com/interstellar-app/interstellar/issues/84
I do want to mention that I just found a weird bug today where we are not using the correct Symfony role in security.yaml, see PR: https://github.com/MbinOrg/mbin/pull/1839
I can't promise of course that this is the root cause, but I wanted to mention it anyways.