Refreshing of access tokens in the UI has issues

[ctron]

It looks like that refreshing tokens in the Web UI has some issues.

The tokens expire after 5 minutes. But should automatically be refreshed before. However sometimes I do see the following effects:

• The console reloads (which is done when the request failed with 403)

• And error pops up in the console (with internal error)

  Taking a look at the browser console shows:

  Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api-drogue-dev.apps.wonderful.iot-playground.org/api/registry/v1alpha1/apps. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403.3

My feeling is that refreshing of the tokens doesn't work. In combination with some services not handling CORS and AuthN/AuthZ in the correct order. The latter issue might be due to a wrong order of the CORS and Auth middleware in actix. As this only affect some pages, that might actually be ok for some services and wrong for others (device registry being one of them).

[jbtrystram]

I can't reproduce it for now, if someone can give more details on how to reproduce it reliably, i'll investigate more

[ctron]

One way I seem to be able t reproduce this:

• Open the console, login
• Open the spy, let it run
• Stop, but keep the window open
• wait ~10 minutes
• click "start" again

Then I only get "connection to the websocket service failed".

[ctron]

Here is another case:

Frontend:

17:04:58.457 INFO src/app.rs:257 Token timer expired, refreshing... [index-1c0d7732d89ab230.js:894:17](https://sandbox.drogue.cloud/index-1c0d7732d89ab230.js)
17:04:58.457 INFO src/app.rs:133 Message: RefreshToken(Some("eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmOTE5NDBjZC0yZWU4LTRjMDMtOGQ4NS01MWE3ZDc1MGI2OGYifQ.eyJleHAiOjE2NDkwODYxOTksImlhdCI6MTY0OTA4NDM5OSwianRpIjoiNmY4YjU0ZmMtMDY1Ni00MGQwLTgyODAtNDU2NGQ0Zjc2MDM1IiwiaXNzIjoiaHR0cHM6Ly9zc28uc2FuZGJveC5kcm9ndWUuY2xvdWQvYXV0aC9yZWFsbXMvZHJvZ3VlIiwiYXVkIjoiaHR0cHM6Ly9zc28uc2FuZGJveC5kcm9ndWUuY2xvdWQvYXV0aC9yZWFsbXMvZHJvZ3VlIiwic3ViIjoiMmI4ZWYzZDYtMjk5Yi00YWUyLThiZDEtZGQzZDM4YjlmMjM4IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImRyb2d1ZSIsInNlc3Npb25fc3RhdGUiOiI4ODliNzI3Yi1lNGYyLTQxMTMtOGNlMC0zNDEwNmNmNDNjNDciLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiODg5YjcyN2ItZTRmMi00MTEzLThjZTAtMzQxMDZjZjQzYzQ3In0.2m8OugyGwVAgnCeEAomAO9Hmtck4JI4kte55XUK2BLs")) [index-1c0d7732d89ab230.js:894:17](https://sandbox.drogue.cloud/index-1c0d7732d89ab230.js)
17:04:58.457 INFO src/app.rs:280 Refreshing access token [index-1c0d7732d89ab230.js:894:17](https://sandbox.drogue.cloud/index-1c0d7732d89ab230.js)
17:04:58.911 INFO src/app.rs:435 Response from refreshing token: Ok(Failure(401, Object({"error": String("Unauthorized"), "message": String("Refresh token invalid: Json(Error(\"missing field `access_token`\", line: 0, column: 0))")}))) [index-1c0d7732d89ab230.js:894:17](https://sandbox.drogue.cloud/index-1c0d7732d89ab230.js)
17:04:58.911 INFO src/app.rs:133 Message: FetchTokenFailed

Backend:

[2022-04-04T15:04:58Z DEBUG reqwest::connect] starting new connection: https://sso.sandbox.drogue.cloud/
[2022-04-04T15:04:58Z DEBUG hyper::client::connect::dns] resolving host="sso.sandbox.drogue.cloud"
[2022-04-04T15:04:58Z DEBUG hyper::client::connect::http] connecting to 65.108.135.161:443
[2022-04-04T15:04:58Z DEBUG hyper::client::connect::http] connected to 65.108.135.161:443
[2022-04-04T15:04:58Z DEBUG rustls::client::hs] Resuming session
[2022-04-04T15:04:58Z DEBUG rustls::client::hs] Using ciphersuite Tls13(Tls13CipherSuite { suite: TLS13_AES_128_GCM_SHA256, bulk: Aes128Gcm })
[2022-04-04T15:04:58Z DEBUG rustls::client::tls13] Not resuming
[2022-04-04T15:04:58Z DEBUG rustls::client::tls13] TLS1.3 encrypted extensions: [ServerNameAck]
[2022-04-04T15:04:58Z DEBUG rustls::client::hs] ALPN protocol is None
[2022-04-04T15:04:58Z DEBUG hyper::proto::h1::io] flushed 959 bytes
[2022-04-04T15:04:58Z DEBUG rustls::client::tls13] Ticket saved
[2022-04-04T15:04:58Z DEBUG rustls::client::tls13] Ticket saved
[2022-04-04T15:04:58Z DEBUG hyper::proto::h1::io] parsed 11 headers
[2022-04-04T15:04:58Z DEBUG hyper::proto::h1::conn] incoming body is content-length (66 bytes)
[2022-04-04T15:04:58Z DEBUG hyper::proto::h1::conn] incoming body completed
[2022-04-04T15:04:58Z DEBUG hyper::client::pool] pooling idle connection for ("https", sso.sandbox.drogue.cloud)
[2022-04-04T15:04:58Z DEBUG reqwest::async_impl::client] response '400 Bad Request' for https://sso.sandbox.drogue.cloud/auth/realms/drogue/protocol/openid-connect/token
[2022-04-04T15:04:58Z INFO  drogue_cloud_console_backend::auth] Response: Err(Json(Error("missing field `access_token`", line: 0, column: 0)))
[2022-04-04T15:04:58Z INFO  actix_web::middleware::logger] 10.130.2.1 "GET /api/console/v1alpha1/ui/refresh?refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmOTE5NDBjZC0yZWU4LTRjMDMtOGQ4NS01MWE3ZDc1MGI2OGYifQ.eyJleHAiOjE2NDkwODYxOTksImlhdCI6MTY0OTA4NDM5OSwianRpIjoiNmY4YjU0ZmMtMDY1Ni00MGQwLTgyODAtNDU2NGQ0Zjc2MDM1IiwiaXNzIjoiaHR0cHM6Ly9zc28uc2FuZGJveC5kcm9ndWUuY2xvdWQvYXV0aC9yZWFsbXMvZHJvZ3VlIiwiYXVkIjoiaHR0cHM6Ly9zc28uc2FuZGJveC5kcm9ndWUuY2xvdWQvYXV0aC9yZWFsbXMvZHJvZ3VlIiwic3ViIjoiMmI4ZWYzZDYtMjk5Yi00YWUyLThiZDEtZGQzZDM4YjlmMjM4IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImRyb2d1ZSIsInNlc3Npb25fc3RhdGUiOiI4ODliNzI3Yi1lNGYyLTQxMTMtOGNlMC0zNDEwNmNmNDNjNDciLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiODg5YjcyN2ItZTRmMi00MTEzLThjZTAtMzQxMDZjZjQzYzQ3In0.2m8OugyGwVAgnCeEAomAO9Hmtck4JI4kte55XUK2BLs HTTP/1.1" 401 125 "https://sandbox.drogue.cloud/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0" 0.246705
[2022-04-04T15:05:28Z DEBUG hyper::client::client] client connection error: connection error: unexpected end of file

[ctron]

I think this one can be closed, with the new OAuth2/OpenID agent. If we run into issues again, let's reopen it.