search

IBM / ruby-sdk-core

The ruby-sdk-core repository contains core functionality required by Ruby code generated by the IBM OpenAPI SDK Generator.
Apache License 2.0
3 stars 10 forks source link

IAM authenticator not refreshing access token before expiration #36

Open pandrews11 opened 3 years ago

pandrews11 commented 3 years ago

Hello,

Is the IAM authenticator supposed check the expiration time of the access token and refresh before authenticating? I see the IAMTokenManager inherits from JWTTokenManager which has a token method which would take care of this. The problem is IAMTokenManager#access_token does not utilize this method and just grabs the stored access_token without checking.

Thanks for your help!

MosesMendoza commented 3 years ago

Hi - same issue for me.

I'm using version 1.1.2 of ruby-sdk-core in a rails app alonside version 2.1 of ruby-sdk to access the NLU API and I could use a tip on authenticator lifecycle if you have a minute. I initialize an IBMWatson::Authenticators::IamAuthenticator and keep a reference to it:

        config.authenticator = IBMWatson::Authenticators::IamAuthenticator.new(
          apikey: config.service_access_key
        )

which goes fine. Then, as requests come into the app, as part of handling each request I initialize a new Watson API client object, and pass it the reference to the IamAuthenticator object:

      @watson = IBMWatson::NaturalLanguageUnderstandingV1.new(
        authenticator: @configuration.authenticator,
        version: "2020-08-01"
      )
      @watson.service_url = @configuration.service_url
      @watson.configure_http_client(timeout: { global: @configuration.timeout } )

which also works great at first. But then at some point I start getting 401s back. This has been happening fairly regularly. I think it's after a period of inactivity - the time span between a successful attempt at 2:08PM and the next attempt (which failed) at 3:13PM was over an hour. Here's a log entry (apologies for my json format):

E, [2021-07-01T15:44:31.726112 #76077] ERROR -- : [a57cdfe7-a5c2-47d2-8eb7-7005dbdb7eb9] Error: Unauthorized, Code: 401, Information: {"trace"=>"ba11b8d2-802c-46a8-b910-43b37b4a03ec", "more_info"=>"https://cloud.ibm.com/docs/watson?topic=watson-authorization-error"}, X-dp-watson-tran-id: ba11b8d2-802c-46a8-b910-43b37b4a03ec, X-global-transaction-id: ba11b8d2-802c-46a8-b910-43b37b4a03ec

It won't work again until I restart the service. I think I read that the authenticator would renew the token as needed which I interpreted as meaning I don't ever need to re-initialize an authenticator as part of normal operation. But should I be? I could just wrap the client requests in a handler that renews the authenticator if there's a 401 but I want to make sure I'm not doing something wrong here.

Thanks for any insight!

MosesMendoza commented 3 years ago

Hi there, just checking in you all have had a moment to review/validate this issue?