SSO Will Not Migrate v1 --> v2 for Some (Valid) Tokens

[PrometheusSatyen]

Bug

PLEASE DO NOT REMOVE THE V1 SSO UNTIL YOU FIX THIS EXTREMELY PROBLEMATIC BUG!

Some v1 tokens, despite being perfectly valid (v1 SSO continues to permit refreshes) fail to migrate to v2 when passed to the v2 endpoint. They can still be refreshed using v1 after this failure.

I can provide examples of such tokens on request. Please email me at prometheussatyen@gmail.com, contact me on TweetFleet Slack (you can find me in #esi or #sso) or contact me on Discord: Prometheus Satyen#3345

Reproduction Steps

Attempt Refresh of Token with v1 SSO:

curl --location --request POST 'https://login.eveonline.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--header 'X-User-Agent: Prometheus Satyen (Pandemic Legion) prometheussatyen@gmail.com' \
--header 'Authorization: Basic REDACTED' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=REDACTED'

Response looks fine, gives a 200 OK:

{
    "access_token": "REDACTED",
    "token_type": "Bearer",
    "expires_in": 1199,
    "refresh_token": "REDACTED"
}

Now, attempt to migrate to v2:

curl --location --request POST 'https://login.eveonline.com/v2/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--header 'X-User-Agent: Prometheus Satyen (Pandemic Legion) prometheussatyen@gmail.com' \
--header 'Authorization: Basic REDACTED' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=REDACTED'

Response is a failure (400 Bad Request):

{
    "error": "invalid_grant",
    "error_description": "Invalid refresh token. Unable to migrate grant."
}

And let's try refresh it with v1 again:

curl --location --request POST 'https://login.eveonline.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--header 'X-User-Agent: Prometheus Satyen (Pandemic Legion) prometheussatyen@gmail.com' \
--header 'Authorization: Basic REDACTED' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=REDACTED'

Response looks fine, gives a 200 OK:

{
    "access_token": "REDACTED",
    "token_type": "Bearer",
    "expires_in": 1199,
    "refresh_token": "REDACTED"
}

:thinking:

Actual Behaviour

Token fails to migrate.

Expected Behaviour

Token should migrate.

[ErikKalkoken]

I can confirm this.

We are running a large site with for my alliance and when converting about 1,300 valid v1 tokens we had a failure rate of about 3%. We have chosen to remove the failed tokens and force our users to re-add missing tokens, but that approach might not work for everyone.

[soratidus999]

On Behalf of some Alliance Auth installs that were willing to share their statistics with us, i can report that we have similar experiences.

Statistics from 18 Installs. 59558 tokens 1359 Failed on CCPs end, Are stil valid V1 tokens but will not migrate on V2 endpoint 35 Tokens failed for other reasons, Dead tokens etc.

2.282% failure rate from CCP on this migration endpoint for tokens that still continue to operate normally under v1

Happy to provide more detailed information on the EVE Online Partner Discord where this has been discussed previously, at joel.falknau@gmail.com, or discord: Ariel Rin#7464

[stebet]

Can you reproduce and send me a timestamp and originating IP address for me to look at?

[soratidus999]

Apologies from me, I cleared out these v1 tokens expecting them to die November 1st as notified. I have passed your request on to the rest of the Alliance Auth community and therefore entities sysadmins.

It's not likely, since we moved onto V2 refreshing all tokens by default and only kept the v1 code as a fallback in the migration for this specific issue, not normal operation.

[Dickmos]

With CCP finally fixing the Esi any chance this program will work again? i usually get a blank screen after trying to add character