Miami87
commented
4 months ago Gesendet von Outlook für Androidhttps://aka.ms/AAb9ysg
Von: Alphabet @.>
Gesendet: Freitag, März 29, 2024 1:17:33 PM
An: discord/discord-api-docs @.>
Cc: Subscribed @.>
Betreff: [discord/discord-api-docs] Random 401 Unauthorized on OAuth2 for some users on @.& ***@***.***. (Issue #6769)
Description
Since the beginning of the year, I've been experiencing a problem with the Oauth2 Discord API. Randomly, Oauth2 tokens return "401 Unauthorized" when I try to retrieve the associated user (after refreshing the token) or the token information with the introspection route. This causes a loop and a denial of service on my API every time a buggy user logs in with his Discord account on my platform. The loop problem has been fixed but I still got Cloudflare Ban 24 hours because of it. There's a huge problem from an OAuth2 data integrity point of view on Discord, I've never seen anything like it. I've tested it several times, even by hand, the route accepts all the refresh tokens I give it, sends me back a new token, but I can't do anything with that token, I have to ask the user to connect and in 15% of cases (I've been monitoring for 1 month now) users simply can't connect to my platform. I had to create several applications and test them in round robin mode to get around the problem...
Steps to Reproduce
I'm not able to reproduce this problem, but it occurs randomly after a few weeks or months and seems to apply randomly to certain users.
Expected Behavior
- Either the refresh_token is not accepted, indicating that the user has revoked the authorization (and that it really has been revoked from the account settings).
- That the route returns the information correctly, without errors.
Current Behavior
- The refresh_token is accepted.
- The newly provided refresh_token IS VALID.
- The newly provided access_token IS NOT VALID (INVALID) and always returns 401 Unauthorized for all APIs routes.
Screenshots/Videos
image.png (view on web)https://github.com/discord/discord-api-docs/assets/23159705/b7fef0e2-fe67-4c73-a13e-bc6c6245c87c
An example of a buggy user. I have to forcibly revoke the token with the route to revoke the token and the user has to reconnect for it to work again. Otherwise, even reconnecting doesn't work 70% of the time for the user.
Please note that I have created 4 different applications since the end of December, so this is not due to the application. I've even tried removing the "guilds.join" scope and leaving only "identify", but the problem persists. I've also bought a new IP address with a very good reputation from my German host, but it's no use.
Client and System Information
N/A
— Reply to this email directly, view it on GitHubhttps://github.com/discord/discord-api-docs/issues/6769, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWFPIACTHPYHU6LWQOXF4FTY2VEU3AVCNFSM6AAAAABFOLEH36VHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTKMRTHE2TOMY. You are receiving this because you are subscribed to this thread.Message ID: @.***>
lsdimagine
RealAlphabet
flyingsquirrel1312
SOLR4189
Description
Since the beginning of the year, I've been experiencing a problem with the Oauth2 Discord API. Randomly, Oauth2 tokens return "401 Unauthorized" when I try to retrieve the associated user (after refreshing the token) or the token information with the introspection route. This causes a loop and a denial of service on my API every time a buggy user logs in with his Discord account on my platform. The loop problem has been fixed but I still got Cloudflare Ban 24 hours because of it. There's a huge problem from an OAuth2 data integrity point of view on Discord, I've never seen anything like it. I've tested it several times, even by hand, the route accepts all the refresh tokens I give it, sends me back a new token, but I can't do anything with that token, I have to ask the user to connect and in 15% of cases (I've been monitoring for 1 month now) users simply can't connect to my platform. I had to create several applications and test them in round robin mode to get around the problem...
Steps to Reproduce
I'm not able to reproduce this problem, but it occurs randomly after a few weeks or months and seems to apply randomly to certain users.
Expected Behavior
refresh_tokenis not accepted, indicating that the user has revoked the authorization (and that it really has been revoked from the account settings).Current Behavior
refresh_tokenis accepted.refresh_tokenIS VALID.access_tokenIS NOT VALID (INVALID) and always returns401 Unauthorizedfor all APIs routes.Screenshots/Videos
An example of a buggy user. I have to forcibly revoke the token with the route to revoke the token and the user has to reconnect for it to work again. Otherwise, even reconnecting doesn't work 70% of the time for the user.
Please note that I have created 4 different applications since the end of December, so this is not due to the application. I've even tried removing the "guilds.join" scope and leaving only "identify", but the problem persists. I've also bought a new IP address with a very good reputation from my German host, but it's no use.
Client and System Information
N/A