danwoolley
commented
7 years ago General question related to above: Should the refresh work on recently expired tokens? Or am I expected to proactively refresh all tokens before they expire?
Closed danwoolley closed 7 years ago
danwoolley
commented
7 years ago General question related to above: Should the refresh work on recently expired tokens? Or am I expected to proactively refresh all tokens before they expire?
wlmcewen
commented
7 years ago Hi @danwoolley, it's been a while since I've dug into this part of the code, but the code that checks for a refresh seems suspicious. If I recall correctly, a request must be made using the refresh token in the window after the refresh_timeout but before the expires_in.
In any case, we'll have our support team try to reproduce. I'll suggest you go ahead and remove your client_id/secret from this issue.
ridley-james
commented
7 years ago Hi @danwoolley,
My testing thus far has shown this to be working properly. One thing I noticed in you script is the deletion of the oauth2 token:
client.delete "/oauth2/token/#{client.session.access_token}"
What this does is delete the authorization completely, making the access/refresh tokens non-usable, resulting in all the resulting invalid grant types.
I approached it a little differently. Keeping the same basic structure of the beginning of your script I changed the delete portion to reset the expire_time to 60 (anything less then the refresh interval will work). From there you can see the refresh occur from the debugging:
I have never seen refreshing an oauth token actually work. Tokens expire and require the agent to enter credentials to get fresh tokens. This is bad for us because we want to get fresh listing data on behalf of agents automatically in the background, without their direct involvement. We're hoping that the use of refresh tokens can do this.
I've got sample code now that actually shows the refresh process failing. The root of the issue seems to be when the gem calls to create a session to https://sparkapi.com/v1/oauth2/grant with the param "grant_type" set to "refresh_token". The response is {"error"=>"invalid_grant", "error_description"=>"The access grant you supplied is invalid"}.
Attached is a ruby script using the latest gem v1.4.14 that shows the issue. It's based on script/combined_flow_example.rb, but with the added twist of forcing the tokens to expire so that we can attempt a refresh.
The best way to run this is from irb by pasting in one SECTION at a time. This allows you to see the debug logging. Recognize that you need to paste your key, secret, and callback on lines 8-10, and a valid client.oauth2_provider.code in on line 27.
Let me know if I'm not understanding how refresh tokens work, or if there's a better path through the code that does cause it to work.
Log output for me showing the exact error: D, [2017-07-06T12:15:07.895235 #54093] DEBUG -- : [oauth2] setup SparkApi::Authentication::OAuth2Impl::GrantTypeCode D, [2017-07-06T12:15:07.895297 #54093] DEBUG -- : [oauth2] Refresh oauth session. D, [2017-07-06T12:15:07.895330 #54093] DEBUG -- : [oauth2] Refreshing authentication to https://sparkapi.com/v1/oauth2/grant using [cbg4cv1goko1sahh9u4szzmkf] D, [2017-07-06T12:15:07.895399 #54093] DEBUG -- : [oauth2] create_session to https://sparkapi.com/v1/oauth2/grant params {"redirect_uri":"https://cloudcma.dev/spark/callback","client_id":"xxx","client_secret":"yyy","grant_type":"refresh_token","refresh_token":"cbg4cv1goko1sahh9u4szzmkf"} D, [2017-07-06T12:15:08.425257 #54093] DEBUG -- : [oauth2] Response Body: {"error"=>"invalid_grant", "error_description"=>"The access grant you supplied is invalid"}
spark_refresh.rb.txt