[BUG] OAuth2 token is not renewed after being revoked

[jesmrec]

Steps to reproduce

1. Start an OAuth2 session
2. After some minutes and correct renewals, open webUI -> Settings -> Security, and revoke the Android session
3. In the app, session finishes, displaying a Snackbar "Authentication Failed". Open "Manage accounts", tap on key icon to re-authenticate.
4. Reauthentication

Actual behaviour

From this point, the app is not automatically renewed anymore. Once the token expires, regular 401 is received

<?xml version="1.0" encoding="utf-8"?> <d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns"> <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception> <s:message>No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, Bearer token was incorrect, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured</s:message> </d:error>

but no POST to renew

Expected behaviour

POST sent to renew

Samsung S9 v9
NExus 5X v8

[jesmrec]

After changing the native implementation to the library AppAuth (#2793) , the problem is still there. Moving to the current milestone.

[jesmrec]

Diving a bit in the issue:

I was granted the following token information after a correct renewal:

{
    "access_token": "jJbmhbwb3OHW9T23IoJxc1oUrjmJYRf3RAJ6ixfsnxFXA7jKuBltU5Q9vYEBhjIU",
    "expires_in": 120,
    "message_url": "http://192.168.1.126:19000/apps/oauth2/authorization-successful",
    "refresh_token": "Eag4vji4VPD8vR9d5A50qrSfpkkfVq6HAD3gFKD8I0SK9nKbecHH16MJIap0p7rZ",
    "token_type": "Bearer",
    "user_id": "user1"
}

After that, i revoke the token in the UI, so, the app ask for new authentication

After entering credentials and authorizating again, this is the token info i got:

{
    "access_token": "ihikrTjdIP1Yn9Nf1D8NkEVLXrBYx7KdTG0z2hGq4XFHkqwcS9pzaQIyFnCz7i4C",
    "expires_in": 120,
    "message_url": "http://192.168.1.126:19000/apps/oauth2/authorization-successful",
    "refresh_token": "69sQb6GmdLNZQ5RvkX5iPGLm7GdHacWn6b61zVILzKS912ocKqMTpDLtV2opnyTH",
    "token_type": "Bearer",
    "user_id": "user1"
}

when the token expires again, the body request in the POST to the token authorization endpoint is:

refresh_token: Eag4vji4VPD8vR9d5A50qrSfpkkfVq6HAD3gFKD8I0SK9nKbecHH16MJIap0p7rZ
grant_type:    refresh_token

returning

{
    "error": "invalid_grant"
}

so, the refresh token info is not refreshed after the external revoking, so it is not posible to get a new one.

I reproduced that with Android 10, and server 10.4 with OAuth2 0.4.3.

I hope it helps.

[jesmrec]

After re-checking in the branch "new_arch/complete_login_flow" , it is not reproducible there. When such branch is tested, it will be rechecked again and closed in case the problem has gone.

[cdamken]

how is the server session handle?

Could you configure the server with this:

"redis.session.lock_expire": "0",
"redis.session.lock_retries": "750",
"redis.session.lock_wait_time": "20000",
"redis.session.locking_enabled": "1"

"session.save_handler": "redis",
"session.save_path": "tcp:\/\/127.0.0.1:6379",

[jesmrec]

The client handles the session only with the token (this is the OAuth2 aim).

Such server parameters must not affect. In any case, are they set up in config.php? just for taking a look. In any case, the problem mentioned here is (or was) 100% in client side.

[cdamken]

@jesmrec This configuration that I wrote is not in the config.php, is in the php.ini

Those parameters are needed in the server to handle the OAuth token.

[jesmrec]

The problem was fixed in the branch new_arch/complete_login_flow

So, this will be ready in 2.15-beta1 and the later official version