App installation verification breaks OAuth token refreshes on EU instances

[guillaumelachaud]

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

• Initiate an app installation in a EU Sentry instance
• Exchange the installation code against an access/refresh token pair
• Notice how the token is valid, can be refreshed several times and can be used to make successful API calls
• Validate the installation with PUT https://sentry.io/api/0/sentry-app-installations/<installation_id> and body {"status": "installed"}
• Notice how the token still works
• Refresh the token as usual: a new access/refresh pair is issued successfully
• Any calls with this access token fails with a 401 {"detail":"Invalid token"}
• Subsequent refreshes are still successful but the token issued remain invalid.

Expected Result

• Validating the installation should not break token refreshes
• Token refreshes should not return a successful 200 if the provided token is actually invalid

Actual Result

After refreshing the token, all subsequent calls will fail with 401 {"detail":"Invalid token"}.

I can reproduce this behavior using curl commands or with a REST client on Sentry EU instances only. Doing the same flow ona Sentry US workspace works flawlessly.

Product Area

Settings - Integrations

Link

No response

DSN

No response

Version

No response

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[guillaumelachaud]

cc @sentaur-athena We have stumbled upon this problem when working on the Linear integration but I can reproduce with a newly created integration for repro purposes.

[getsantry[bot]]

Routing to @getsentry/product-owners-settings-integrations for triage ⏲️

[sentaur-athena]

Thanks for detailed repro steps. We will look into it.

[ameliahsu]

@guillaumelachaud Just to get more details, what specific URLs are you calling with the access token?

[guillaumelachaud]

Just to get more details, what specific URLs are you calling with the access token?

POST https://sentry.io/api/0/sentry-app-installations/<installation_id>/authorizations/ to get the tokens PUT https://sentry.io/api/0/sentry-app-installations/<installation_id>/authorizations/ to verify the installation GET https://sentry.io/api/0/issues/<issue_id>/ to get an issue

[ameliahsu]

@guillaumelachaud I was able to reproduce this issue with the issues endpoint that you specified. This endpoint only works for querying issues within our US region. We now recommend using GET https://sentry.io/api/0/organization/<org_id_or_slug>/issues/<issue_id>/, which queries both our US and EU regions.

We are working on updating our documentation to provide support for our region-specific endpoints. Sorry for the confusion!

[guillaumelachaud]

@guillaumelachaud I was able to reproduce this issue with the issues endpoint that you specified. This endpoint only works for querying issues within our US region. We now recommend using GET https://sentry.io/api/0/organization/<org_id_or_slug>/issues/<issue_id>/, which queries both our US and EU regions.

We are working on updating our documentation to provide support for our region-specific endpoints. Sorry for the confusion!

Does this apply to all endpoints, including /sentry-app-installations ?

[ameliahsu]

POST https://sentry.io/api/0/sentry-app-installations//authorizations/ to get the tokens PUT https://sentry.io/api/0/sentry-app-installations//authorizations/ to verify the installation GET https://sentry.io/api/0/issues// to get an issue

@guillaumelachaud Of the endpoints you mentioned, only the/issues endpoint needs to be updated

[guillaumelachaud]

Are you planning to add an organizationId field in the verify response payload? This would allow us to capture the organizationId as part of the OAuth flow. Currently, it only returns the slug. We can use the slug to construct the new URLs, but the slug is mutable by the end user so we'd rather rely on the organization ID instead of handling potential changes.

[sentaur-athena]

Yes, ideally all the endpoints returning slug should also return ID. Unfortunately. some of the endpoints are old and don't follow this standard though. You mean the oauth/token/ endpoint?

[guillaumelachaud]

No, I'm referring to /sentry-app-installations/<installation_uuid>/ specifically. We are already calling this endpoint and getting back a slug. Would be convenient if we could get the organization ID at the same time. Otherwise we'll have to make an additional API call just to get it.

[ameliahsu]

@guillaumelachaud I just added id to the response payload under organization. Returning to the original issue, did using the updated endpoint fix the 401 you were receiving?