server-client-python icon indicating copy to clipboard operation
server-client-python copied to clipboard

Published 20 hours ago verified publisher icon tableau

Type 2: include data about PAT expiry

Open kykrueger opened this issue 2 years ago • 7 comments

Summary

When authenticating with a personal access token (PAT) a duration until the expiry of the token is returned by the login request. This information is dropped by the python client, yet would be useful to have it logged as a warning when the expiration date is near.

Description

As users of the python client, we have automated some data-engineering tasks, and authenticate with PATs. Since the PATs may be configured to expire after a given period of time, it is necessary to keep track of when tokens need to be renewed.

The time until expiry is available in the following REST Request: https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_concepts_auth.htm#make-a-sign-in-request-with-a-personal-access-token

Since this request is already made as a part of the authentication process in the python client, I would like to extend the client to pass two optional parameters to the sign_in method:

  • token_expiry_warning_threshold: Optional[int] = 60
  • token_expiry_warning_callback: Optional[Callable[[str], None]]

The provided threshold should be an integer which represents days. If the token is set to expire in less days than in the threshold, a warning should be logged. I think 60 days is a sane default given the default expiration period is after 1 year. A callable may also be provided which will be called with the string containing the time until expiry as received from the API. Its format is "days:hours:seconds".

kykrueger avatar Feb 21 '23 16:02 kykrueger

I'm willing to add this myself

kykrueger avatar Feb 21 '23 16:02 kykrueger

I'm now unsure if the value returned from the login request contains the time until the PAT expires, or the session token. Could someone confirm which of the two it is, if it is the later, then this feature request would require an API change.

kykrueger avatar Feb 21 '23 17:02 kykrueger

This will require an API change, but it's already a known customer request so it might be in the works.

From https://help.tableau.com/current/api/rest_api/en-us/REST/rest_api_ref.htm#sign_in An estimatedTimeToExpiration value is returned when you sign in using a PAT. The value represents the approximate time until the token returned from the PAT sign in will expire

jacalata avatar Feb 22 '23 02:02 jacalata

Thanks for the update! Could you help me find a link to the customer request, so that we can get an update here once the server-side-update is complete?

That way we can get started on this once the blocker is out of the way.

kykrueger avatar Feb 28 '23 10:02 kykrueger

Hmm I'm not sure there is one, but if I find it I will add it here.

jacalata avatar Mar 01 '23 00:03 jacalata

@jacalata any update on whether expiration_date will be added to response when calling server.auth.sign_in()?

It's already a manual effort to refresh an expired token.

But it would be nice to have this expiration_date, so we can preemptively alert our team that the token is expiring.

The best solutions our team has found:

  • (Proactive) Hardcode the "known" expiration_date in our logic, and alert when that date is approaching
  • (Reactive) Try-Except for ServerResponseError when calling server.auth.sign_in(), to raise alert about expired token

Note that:

  • the first solution requires code changes (every time our token expires)
  • the second solution means our process breaks (every time our token expires)

CC @aharcarik-branch

mtsadler-branch avatar Oct 10 '23 16:10 mtsadler-branch

This has been implemented server-side (in List Personal Access Tokens), but we haven't got it in tsc yet.

jacalata avatar Sep 20 '24 08:09 jacalata