search

inveniosoftware / invenio-oauthclient

Invenio module that provides OAuth web authorization support.
https://invenio-oauthclient.readthedocs.io
MIT License
6 stars 74 forks source link

cern: user login with "access_token" not working #154

Closed pamfilos closed 3 years ago

pamfilos commented 6 years ago

When you try to do a call through the API and using the access_token an error is thrown, since it tries to get resources that are not there. This is due to token expiration from CERN oAuth (works when you login through the browser, and try the access_token first minutes before expiration).

We need to create a "refresh_token" mechanism for this to get fixed or find another workaround like storing "Groups" in the extra_data field (not ideal since User might be removed from a group and it won't get synced with our instance)

Related with #68

  File "/Users/p/.envs/cap/lib/python2.7/site-packages/invenio_oauth2server/ext.py", line 201, in verify_oauth_token_and_set_current_user
    valid, req = func(valid, req)
  File "/Users/p/.envs/cap/src/analysispreservation.cern.ch/cap/modules/oauth2server/views/server.py", line 57, in login_oauth2_user
    identity=Identity(oauth.user.id))
  File "/Users/p/.envs/cap/lib/python2.7/site-packages/blinker/base.py", line 267, in send
    for receiver in self.receivers_for(sender)]
  File "/Users/p/.envs/cap/lib/python2.7/site-packages/invenio_oauthclient/contrib/cern.py", line 357, in on_identity_changed
    account_groups(account, resource, refresh_timedelta=refresh)
  File "/Users/p/.envs/cap/lib/python2.7/site-packages/invenio_oauthclient/contrib/cern.py", line 224, in account_groups
    groups = fetch_groups(resource['Group'])
KeyError: 'Group'
lnielsen commented 6 years ago

Ping @egabancho

ppanero commented 5 years ago

Is there any ETA on trying to merge the fix from CERN Analysis Preservation into invenio-oauthclient? ATM I just have it patched from a mere replace, but encountered some issues, it would be good to have it all upstream for discussion/compatibilities.

carantunes commented 4 years ago

ping @lnielsen @zzacharo similar issue happens for new cern oauth. Makes Personal access tokens unusable as they are mean't to be long lived.

Details: Once I create a new token it only works for 5 minutes: it returns 500 after that. To work again I need to logout and login in the UI to be able to user that token for 5 more minutes.

Stack:

Screenshot 2020-09-14 at 19 34 31
ntarocco commented 3 years ago

After discussion, it is not ideal to re-fetch CERN resource on each login via access_token. It is responsibility of the final app to decide how often synchronize the local Invenio user account with the CERN remote one, and not on each HTTP request. Closed in favor of: https://github.com/inveniosoftware/invenio-oauthclient/issues/222