search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
71.73k stars 29.99k forks source link

OAuth2 refresh_token doesn't handle a possible new refresh_token #110715

Closed jwillemsen closed 7 months ago

jwillemsen commented 7 months ago

The problem

Daikin is migrating their API to a new OAuth2 setup, but with each refresh_token they send a new refresh_token that has to be used with the next request. When looking at the OAuth2 source code this doesn't seem to be handled as possible use case.

The OAuth2 documentation mentions that on a token refresh a new refresh_token can be issued, see https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens

The Daikin docu is below, the code I think should handle this is https://github.com/home-assistant/core/blob/5d0d3a5c2b7a18ab4303e36e7f9104c8082a87b8/homeassistant/components/auth/__init__.py#L338

Exchanging a refresh token for a new access token

Any access token you receive from the authorization server is configured to have a lifetime of one hour. This means that your application needs to retrieve a new access token when the current access token is expired.

To obtain a new access token, you have to use the refresh token that you received in the previous token request.

Request example

POST https://idp.onecta.daikineurope.com/v1/oidc/token
  &grant_type=refresh_token
  &client_id=[YOUR_CLIENT_ID]
  &client_secret=[YOUR_CLIENT_SECRET]
  &refresh_token=[YOUR_REFRESH_TOKEN]

Response example
200 OK
{
  "access_token":"eLlju2C1Cdq60pg29b6ebJgIPSU6wOo5",
  "expires_in":3600,
  "refresh_token":"a707kZ1Hnme16xaZTxFeam0oFzAlY20u",
}

What version of Home Assistant Core has the issue?

core-2024.2.0

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant Container

Integration causing the issue

auth

Link to integration documentation on our website

https://developers.home-assistant.io/docs/auth_api/

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

home-assistant[bot] commented 7 months ago

Hey there @home-assistant/core, mind taking a look at this issue as it has been labeled with an integration (auth) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `auth` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign auth` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

auth documentation auth source (message by IssueLinks)

MartinHjelmare commented 7 months ago

We update the config entry with the new token data, including a possibly included refresh token, on each refresh.

https://github.com/home-assistant/core/blob/1f1042c034eebdecec5d470ef2d727598684ada4/homeassistant/helpers/config_entry_oauth2_flow.py#L514-L523

https://github.com/home-assistant/core/blob/1f1042c034eebdecec5d470ef2d727598684ada4/homeassistant/helpers/config_entry_oauth2_flow.py#L92-L98

https://github.com/home-assistant/core/blob/1f1042c034eebdecec5d470ef2d727598684ada4/homeassistant/helpers/config_entry_oauth2_flow.py#L182-L191

jwillemsen commented 7 months ago

Ok, sorry, missed that completely, will dive into this again, thanks for your fast response