-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sessionClient.refreshToken returning generic 400 bad request error #332
Comments
The response from the server when a refreshToken is invalid is {
"error": "invalid_grant",
"error_description": "The refresh token is invalid or expired."
} This will result in throwing this error: https://github.com/okta/okta-oidc-android/blob/master/library/src/main/java/com/okta/oidc/net/request/TokenRequest.java#L135 Which should give you the information you're requesting. That being said, 400s could occur outside of that as well. If you have more information, or ideally could reproduce this, we can get it fixed though! |
@JayNewstrom Thank you for your reply :) I've never seen any reports with the message "The refresh token is invalid or expired", just numerous instances of "Invalid status code 400 Bad Request". Unfortunately these are coming from our Sentry reporting tool, I have yet to be able to repo this locally. I don't have a user that has an expired refresh token that I can test this on, as we do not have control over the actual Okta tenant for security reasons. So with that in mind, I have some follow up questions:
|
We throw that exception in a few places: notably: okta-oidc-android/library/src/main/java/com/okta/oidc/net/HttpResponse.java Lines 109 to 127 in 69a87fc
This could happen due to introspect/configuration/authorize calls. The way I forced an invalid token is via a Charles Proxy breakpoint. It seems like your line numbers aren't matching up in your stack trace. Are you using proguard/minification? This SDK isn't meant to be used with proguard, so you'll need to add a keep rule (which should already be happening automatically https://github.com/okta/okta-oidc-android/blob/master/library/proguard-rules.pro#L1) |
The project that consumes my library does. I've gone back and added in the proguard rule to my library's consumer proguard file for the future just to be sure.
I've gone through and tested this out in Charles, and when I invalidate the refresh token I do see the "invalid_grant" response, so it looks like the refresh token response is behaving correct when the refresh token is invalid. So then if this issue is unrelated to refresh tokens being invalid, I'm at a loss for the actual cause. Generally 400 errors occur due to incorrectly typed URL, malformed syntax, or a URL that contains illegal characters, but in this case my requests are going fully through the oidc library call |
Access tokens aren't used as part of the refresh token process. Another thing you could do is look through syslog for why the requests are failing. |
@JayNewstrom I ran the request in Charles again, invalidated the refresh token and in Charles I see the correct error being returned from the raw Okta call But looking at my console log for my app while this was call was executed shows that the oidc API call I can repo this each time this way. |
The exception is being wrapped. You can access the inner exception via |
@JayNewstrom |
It doesn't look like it's exposed. However, if you want to migrate to the new SDK, it's exposed as HttpResponseException. |
I was unaware of a new SDK, I'll open a ticket on our side and look to start migration in the future. For now though, my main concern is making sure that the Sentry reports we are seeing are not actual issues (I wouldn't call an expired refresh token a problem). So from the above conversation, is the expected behaviour of |
Yes, this is an expected error. |
@JayNewstrom Excellent, I'll update my docs and Sentry reporting to note this, and we'll look to migrate to the new SDK in the future. Thank you for your time! |
Please let me know if you have any feedback on the new SDK too! Thanks |
I'm going to close this for now. But if you have more questions, feel free to open a new issue! |
Describe the bug?
sessionClient.refreshToken
is returning a generic 400 bad request error for some or our users. I have been unable to reproduce this locally, but in our crash reporting we see the following error:My guess is that the refresh tokens have expired for these users, however, the error does not indicate that this is the problem.
I see that there have been reports in the past for ambiguous error codes (#274) and I am wondering if this is somewhat related.
What is expected to happen?
If this was in fact a valid refresh token expiry, according to this ticket (#274) I would expect an error along the lines of:
What is the actual behavior?
I am being given the error:
which is not very descriptive about what the actual problem is.
Reproduction Steps?
Unable to reproduce this locally - I am guessing I have to wait the refresh token expiry on a device. I have a device sitting right now, but there is still awhile on the expiry before I can test this out.
But we have a bunch of Sentry reports that indicate the same error is being returned to numerous users and that this is not simply a one off case.
Additional Information?
People have been commenting in #165 with similar issues, but since that ticket is closed I am unsure it is getting visibility.
SDK Version
1.3.2
Build Information
No response
The text was updated successfully, but these errors were encountered: