gapic-generator-ruby icon indicating copy to clipboard operation
gapic-generator-ruby copied to clipboard

Published 20 hours ago verified publisher icon googleapis

OAuth errors (e.g. from invalid token) surface as GRPC::Unavailable, but some of them (e.g. Signet:AuthorizationError on presenting an expired refresh token) are clearly unretriable. Should something be done about this?

Open viacheslav-rostovtsev opened this issue 4 years ago • 4 comments

https://github.com/googleads/google-ads-ruby/issues/246 for details. The question is whether error wrapping is working as intended.

viacheslav-rostovtsev avatar Dec 16 '20 20:12 viacheslav-rostovtsev

This seems to be an intended GRPC behavior:

it 'should receive UNAVAILABLE if call credentials plugin fails' https://github.com/grpc/grpc/blob/95ab12cf8fca2d92b4a097369dd8249cf8997b9f/src/ruby/spec/generic/client_stub_spec.rb#L239

The reason for this behavior: "Typically these failures are symptomatic of a busy oauth2 auth server and calls should be retried in this case." ( https://github.com/grpc/grpc/pull/13322 )

On whether it's a bug in gapic-generator-ruby

  • ruby gapic generated libraries do not unwrap/rewrap the errors, so they surface the UNAVAILABLE they get from the GRPC.

On potential mitigation

  • updating retry policy for google-ads-ruby provides mitigation for this (and makes sense in any case)

  • we can try probing all UNAVAILABLE for containing Signet::AuthorizationError and converting them to UNATHENTICATED.

    • Signet seems to be returning different status codes when server experiencing issues versus when a genuine authorization error occurs: e.g. Signet::AuthorizationError on Auth errors, Signet::RemoteServerError when it gets 5xx from the server, Signet::UnexpectedStatusError for other issues
      https://github.com/googleapis/signet/blob/cd5d2792055e99e188b81a4210e717ddb4071fa3/spec/signet/oauth_2/client_spec.rb#L567

  • more generically there could be a mechanism to tell a client library: """ treat these errors from my auth plugin as UNATHENTICATED when received inside UNAVAILABLE """

    • this looks too complicated

I'll try to figure out if this impacts Cloud libraries as well.

viacheslav-rostovtsev avatar Dec 31 '20 02:12 viacheslav-rostovtsev

@dazuma because it's interesting

viacheslav-rostovtsev avatar Dec 31 '20 02:12 viacheslav-rostovtsev

grpc/grpc#13322 mentions "auth metadata". Does metadata have any specific meaning in this context? I'm wondering if there's a semantic difference between a "metadata failure" and an auth failure due to invalid / expired / unauthorized access/refresh token.

aohren avatar Jan 05 '21 12:01 aohren

They do have a test that returns UNAUTHENTICATED at https://github.com/jboeuf/grpc/blob/master/test/cpp/end2end/end2end_test.cc#L1813 but I am not exactly sure what's the difference atm.

viacheslav-rostovtsev avatar Jan 25 '21 18:01 viacheslav-rostovtsev