Credential Expiration

[gth-myy-name]

Hi Juice

I suspect this is a Redback issue rather than an integration thing - but just in case I'm wrong...

My entire Redback integration stopped today (everything is unavailable), with an "Integration Requires Reconfiguration" error in the Notifications. Went to put the credentials back into the system - copy/pasted from the file I kept of the Swagger system that Redback gave me access through - but "Something Went Wrong".

On closer checking of the original credential file, it indicated an expiry date in April 2024. I think I was one of the first to be using the integration - so perhaps may also be one of the first to have credentials expire as well? :( Has this happened to anyone else?

I have requested a new set of credentials from Redback - will have to wait and see what response I get...

Cheers,

Pcal

[GrantKeymer]

I was just about to write a separate post concerning Reconfiguration, so instead of doing that, I'll add my own observations here:

1) Late last year, my credentials expired, as @Pcal has found.

2) Redback issued new credentials pretty quickly, so no worries there.

3) After saving in a file, I entered them and within a minute or two, the Redback integration came back online.

4) Since that time, I've needed to re-enter the credentials at least twice. It happened again last night. Prior to receiving new credentials, I never needed to re-enter them.

@juicejuice - Just wondering if there has been a change of policy by Redback regarding credentials, or is there some mechanism within your integration that periodically requires credentials to be re-entered?

[cabberley]

@juicejuice in your code you set the bearer token refresh to now+ expires in seconds. Edge case can be that the token has expired if a call is made in those last seconds as by the time now+expires is calculated it is actual beyond the token life.

Historically we would make an attempt at 50% of life to renew it. If the token has expired you will likely get a http 500 error. I had a bug in my code I found earlier today, adjusted my expiration and renew to occur if it is within the last 5 minutes of the 60 minute life that the Redback API is setting.

[juicejuice]

Thanks @cabberley, good point, I would prefer to use a standard OAuth2 library - HA includes this - but I just threw my code together quickly. I think your new integration design around multiple inverters is a better approach. Anyway, I have now added a 5 min offset, as per your suggestion, to account for the edge case you have highlighted. The retry loop was the previous way that this edge case got resolved but no point triggering a retry if it can be avoided. @gth-myy-name did you manage to get your issue resolved now?

[cabberley]

@juicejuice here is the real API endpoint btw. Without this the way we had been doing it was the only option. Only got this a few days ago.

[sethkor]

This just happened to me I think. I was prompted to reenter my credentials again in HA and it came back straight away.

[GrantKeymer]

Yes, this just happened again to me as well. Almost exactly a month since the last time.

[juicejuice]

So weird! My API credentials have never expired...

[sethkor]

first time for me. I didn't request new ones but maybe the integration needs to get an new token rather than prompt user to reenter? Or maybe it's a transient error and needs some sort of a retry?

[sethkor]

It happened again last night

[juicejuice]

Yes, I jinxed myself because my credentials have now expired on both July 19 and 21! I've been running the same credentials since 2022 and haven't changed any of that code in the time, so Redback must be doing something on their servers? Maybe they had to reboot/reset/restore due to Crowdstrike issues??

[cabberley]

Curious to know if you restart HA if it reconnects, or you have to reset/update your secretid and secret?

[cabberley]

Yes, I jinxed myself because my credentials have now expired on both July 19 and 21! I've been running the same credentials since 2022 and haven't changed any of that code in the time, so Redback must be doing something on their servers? Maybe they had to reboot/reset/restore due to Crowdstrike issues??

Pretty sure their backend systems weren't affected by Crowdstuck. My integrations Auth hasn't had any issues over the last week either.

An OAuth Authentication has 2 parts, the secret ID and Secret and then a short lived token for subsequent communications. OAuth Process:

1. New session establishment requires requester to send Secret ID and Secret to Server
2. These are validated and if valid a Bearer Token is issued amongst its contents is a Valid Start and End Datetime. Redback Tokens are set with a 3600 second Lifetime, from memory.
3. If before the End DateTime is reached the client has not negotiated a refreshed token it will behave as if it is not a valid user and treat the request as an unauthenticated session.
4. Programmatically, traditionally we would request a new token at 50% of the expiry time (3600 seconds expiry, try for new token after 1800 seconds) if that fails you still have the original valid token to continue to use with no pressure for getting a new one urgently, and then try again in another 50% of remaining time (1800 + 900 = 2700 seconds after token issued)

From some of the comments above that after re-entry of your originally Secret ID and Secret, it started to work again, I would suspect the token refresh failed.

Hope that helps

[juicejuice]

From some of the comments above that after re-entry of your originally Secret ID and Secret, it started to work again, I would suspect the token refresh failed.

If it happens again I'll examine the debug logs. The HA log just reports: 2024-07-21 22:53:37.204 ERROR (MainThread) [custom_components.redback] Authentication failed while fetching redback data: Invalid credentials

It would be more informative to retrieve the Redback API error that is triggering the reauth (e.g., line 55 of config_flow.py). It's weird that it started happening all of a sudden.

[cabberley]

From some of the comments above that after re-entry of your originally Secret ID and Secret, it started to work again, I would suspect the token refresh failed.

If it happens again I'll examine the debug logs. The HA log just reports:

2024-07-21 22:53:37.204 ERROR (MainThread) [custom_components.redback] Authentication failed while fetching redback data: Invalid credentials

It would be more informative to retrieve the Redback API error that is triggering the reauth (e.g., line 55 of config_flow.py). It's weird that it started happening all of a sudden.

I think you will find that it doesn't matter if the token is expired or secret is wrong, it will be the same HTTP error code, I suspect the RestAPI doesn't discriminate why you request authorisation is not valid.

If you want to debug it you probably want to get the bearer token expiry datetime. Or the daytime of issuance and lifetime values. See how that aligns with the current time.