okta/okta-sdk-python

Access token expiry not handled when using OAuth 2.0

lboynton opened this issue · 8 comments

When using OAuth 2.0 to authenticate with the Okta API, an access token is generated. This token is cached by the SDK and after some time expires, but there appears to be no logic in place to handle the token expiry and get a new access token.

There is a clear_access_token method to clear the access token, but I don't see where it's being used.

We have also experienced issues relating to token expiry when authenticating with a private key. As a work around, we call the clear_access_token manually and clearing the request executor cache and headers to get a new token in the next request:

 def _clear_access_token():
    okta_client._request_executor._oauth.clear_access_token()
    okta_client._request_executor._cache.delete("OKTA_ACCESS_TOKEN")
    okta_client._request_executor._default_headers.pop("Authorization")

We would also like to know if there's a supported way of refreshing these tokens

Thanks @haggrip! Tried something similar to this but I was missing the trick to clear the Authorization header, without that the old token is still used.

@lboynton Thank you for submitting this. We will review further internally; see comment here: #364 (comment)

Internal Ref#: OKTA-641384

My team has struggled with this issue. The way we have remediated this is to examine the exp claim on the token, and if we determine the token is expired, simply clear the access token before the next request and force the Client to request a new OAuth token. But this can also be done preemptively when we first grab the access token from the OAuth object - I have taken the liberty to draft this pull request that implements this change.

Of course, happy to see that pull request closed if this is not the intended direction for the SDK. As @haggrip mentioned, perhaps an alternative future direction could be refreshing the token instead of simply clearing it and requesting a new token.

@haggrip did your PR (#364) fix this issue? Struggling to work out if the PR was intended to fix this issue or just referenced it. I think it's still happening to me.

I can't tell if that PR made it into the main branch either or just dev, perhaps @bryanapellanes-okta could clarify?

@GraemeMeyerGT my PR only fixed a function for clearing the expired token. From what I remember, this is a workaround to get a new token. When we catch a token expired error, we clear the current token and re-attempt the request. When an existing token is not present, the SDK fetches a new token.

A real solution would involve the SDK properly renewing the existing token

Thanks. I interpret from that that the okta-sdk-python doesn't have a dedicated method/function that can be called to trigger a refresh? I haven't been able to find one, but I'm a relative newbie and I'm finding the code a bit inscrutable, so I may have missed it. The SDK also seems not to have full documentation, unless I've missed that also.

For anyone else that has the same problem: My OktaClient is responding back with a 401 error, but as far as I can tell no further detail. This is after the app has been running for ~an hour, so I'm reasonably confident this is token expiry. (Token expiry time is 1 hour). I'm going to produce a bit of code to monitor the expiry time of the token and trigger a refresh/get a new token somehow. Will try to post that here when it's done.

I've submitted my own PR (#415) to fix this issue. @bryanapellanes-okta not sure if you're "in charge" of this issue from Okta's point of view, but if anyone from Okta would be able to give me in idea whether this has a hope of being accepted, that would be much appreciated.