Open RogerSelwyn opened 2 weeks ago
Hi, I’ll have some time next week to investigate. I’ll report back. Never happened this to me before nor anyone reported this earlier.
I’ve previously seen this issue logged, similar error, different situation I think - https://github.com/O365/python-o365/issues/998
The problem seems to be that oauthlib is no longer caching the correct error codes MS Graph gives and thus giving apps error codes like 401 (unauthorised) when it should raise TokenExpiredError
.
I have already exposed this but I don't have the time not the expertise to go into this.
From my end this is difficult to solve as O365 don't know if a 401 is returned because the token is expired and oauthlib didn't do it's work raising the TokenExpiredError or it's actually a unauthorised error that is correct.
So, either anyone solves this inside oauthlib (which I think should be very difficult) or O365 drops it's custom auth methods to use msal.
I would go wih msal, but this is a BIG change that touches many 'moving parts'.
I’m not sure I have the knowledge to rework the auth method, but I can take a look when I get back home next week.
In the interim, presumably I can trap the errors in my integration and trigger a token refresh?
The current quick solution involves the following (other users reported this several times here):
account.connection.refresh_token()
Thanks
And please remember that the refresh should ask before to the token backed:
should_refresh_token = self.token_backend.should_refresh_token(self)
if should_refresh_token is True:
# The backend has checked that we can refresh the token
if self.refresh_token() is False:
raise RuntimeError('Token Refresh Operation not working')
Although should_refresh_token
is barely used by anyone...
I have analysed what it means to implement authentication with MSAL.
Authentication:
Connection
object: request_token
, refresh_token
and get_authorization_url
Account
object: authenticate
Token
: msal tokens are somehow different. I need to figure out how to adapt the token methods so O365 can know when a token is expired._internal_request
and oauth_request
Readme: Modify the readme to show the change. Many methods change and auth is done differently
Optional changes: Configure a msal TokenCache
to work with O365 Token Backends
I have been able to authenticate and use a O365 with tokens retrieved using msal.
I think I will drop custom auth in favor of msal as soon as possible Many work to do and testing...
That would be brilliant. I'd be happy to test as soon as you have something (preferably not before the 23rd, if it requires code change at my end).
I will be working in the msal branch
Not sure on the notes you have written on the meal branch whether you have finished work and it is testable, our whether it is WUP. I see you have note that 2.0.38 is the last 2.0 release, which suggests you will go to 2.1/3.0 for new authentication model.
As soon as you are ready I can test.
I have a few people who use the Home Assistant O365 integration that are getting the errors as shown below (they are encapsulated in HA login, but you can see what is being surfaced by O365). I've only seen reports in the last few months, but I have no idea what is causing them. Unfortunately I don't get the problem myself (or just don't notice the error in my logs, so I don't really know what triggers it).
Any ideas as to what is causing the problem? The integration sets up a FileSystemTokenBackend, which it uses I the Account setup call, beyond that it leaves token management to O365 (apart from reading the token once to check granted permissions). Code as below:
Client Error: 401 Client Error: Unauthorized for url: https://graph.microsoft.com/v1.0/me/calendars/AQMkADAwATNiZmYAZC04M2ZhLTkwNDYtMDACLTAwCgBGAAADxUpIqt1PQ02qEe37a0cywQcAe9JyutQAp0a3sg19Hw9tFgAAAgEGAAAAe9JyutQAp0a3sg19Hw9tFgAF1RvVAwAAAA==/calendarView?%24top=999&startDateTime=2024-11-08T07%3A48%3A44.399251%2B00%3A00&endDateTime=2024-11-09T07%3A48%3A44.399274%2B00%3A00&%24select=sensitivity%2Cstart%2Ccategories%2Cbody%2CisAllDay%2Csubject%2Cend%2Clocation%2CseriesMasterId%2Cattendees%2CshowAs | Error Message: IDX14100: JWT is not well formed, there are no dots (.). The token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EncodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'. | Error Code:
The user has checked their access token. There are no dots inside. They've also checked it with jwt.io and get the following error:Error: Looks like your JWT Header is not encoded correclty using base64url (https://tools.ietf.org/html/rfc4648#section-5). Note that padding ("=") must be omitted as per https://tools.ietf.org/html/rfc7515'section-2
The error does not occur permanently, but only occasionally. It then seems to heal itself, since the synchronization of tasks and calendar generally works.