How to handle the refresh token

[paul.watson.su]

Hi,

I'm using the REST API, I get an initial token using my username and password which works fine and gives me back a refresh token.

Request (secrets replaced with "value")

Code: Select all

client_id=&client_secret=&grant_type=password&username=value&password=value

Response (secrets replaced with "value")

Code: Select all

{
    "access_token": "value",
    "token_type": "bearer",
    "refresh_token": "value",
    "expires_in": 900,
    ".issued": "2021-06-11T15:30:14+01:00",
    ".expires": "2021-06-11T15:45:14+01:00"
}

Which I can then proceed to use fine. I then get a refresh token which comes back OK

Request (secrets replaced with "value")

Code: Select all

grant_type=refresh_token&refresh_token=value

Response (secrets replaced with "value")

Code: Select all

{
    "access_token": "value",
    "token_type": "bearer",
    "refresh_token": "value",
    "expires_in": 900,
    ".issued": "2021-06-11T15:34:06+01:00",
    ".expires": "2021-06-11T15:49:06+01:00"
}

Then when I hit any endpoint that requires authorisation I get back a HTTP 403 Forbidden response with no body or further details. Could someone advise me what I'm doing wrong? It sounds like I'm losing permissions in my refresh token.

I've also tried using /authorization_code and then refetching my initial token using the given authorization code with grant_type=authorization_code however this always fail with HTTP 401 Unauthorized.

Thank you in advance

[oleg.feoktistov]

Hi Paul,

I tested it in my lab and had no issues entering resource endpoints using access token re-generated with refresh token.
Might it be the case that you are trying to utilize refresh token instead of access token to query endpoints, which require authorization?

As for authorization code, it is a known bug, which we are planning to fix in vNext.

Thanks,
Oleg

[paul.watson.su]

Hi Oleg,

Looking at my logs I can confirm I was using the new access token given to me after trading in my refresh token on future requests.
The access token goes back into header of my requests as

Code: Select all

Authorization: Bearer eyJhbGciO...

On a possible side note I went to recreate it to double check however I'm seeing a different issue. I get my initial access token with username and password which works fine and I'm able to make queries. When I authorise the refresh token the first response from the oauth2/token endpoint comes back

Code: Select all

{
    "errorCode": "AccessDenied",
    "message": "The user name or password is incorrect.\r\n",
    "resourceId": null
}

And any subsequent requests come back

Code: Select all

{
    "errorCode": "AccessDenied",
    "message": "Token [153d14e9-8c7a-47ec-8fcc-beadc98dc335] with expiration date [29/06/2021 10:02:26] is invalid",
    "resourceId": null
}

Which confuses me as I was able to initially log in with username and password fine

Thanks again

[oleg.feoktistov]

Hi Paul,

Do you have any cumulative patches installed on VBR? I patched my server and can see some issues with refresh token now, but they differ from yours. So, I'm trying to figure out where it could go wrong.

Thanks,
Oleg

[paul.watson.su]

Hi Oleg,

I don't believe so. From what I understand we have version 11 but doing a 'Check for updates' doesn't report anything back.
I don't administer the Veeam instance myself but can get more information from the right people if needed.

Thanks,
Paul

[Cragdoo]

Hi Paul

https://www.veeam.com/kb4126

for the patch releases

[oleg.feoktistov]

Confirmed that refresh token doesn't work in both v11 GA or patched. Raised this question with QA. Will keep you posted. Thanks!

[oleg.feoktistov]

Discussed this issue with QA, and they confirmed it as a bug. The fixed is planned for vNext. Thanks!

[paul.watson.su]

Thank you Oleg for taking the time to look into this

[Cragdoo]

Is this issue addressed in v11a release?

[oleg.feoktistov]

It is, along with the authorization code 401 error also mentioned in this thread. Thanks!

[Cragdoo]

Upgraded to 11.0.1.1261 build .......but looks like the 403 error still happening. Doing a little more testing, and will report back

[oleg.feoktistov]

Re-checked this in my lab with 11a just in case, but couldn't see the same issue. Will be awaiting your feedback. Thanks!

[paul.watson.su]

I have tested this against 11.0.1.1261 and can confirm the issue still remains.

If I authorise oauth via password it works fine, I then wait 15 minutes and wait for a refresh token to appear then attempt to use Veeam endpoints again I get a 403 back.

If needed I can provide a Fiddler log.

[oleg.feoktistov]

Hi Paul,

I then wait 15 minutes and wait for a refresh token to appear

I don't quite understand which steps you did here. Could you please elaborate?
Did you login, cache refresh token somewhere, get a new one after 15 minutes of api session idling and then try to send request to some endpoint using new refresh token? Or was it something else that you did?

Thanks,
Oleg

[paul.watson.su]

I login initially with grant_type=password from who's response I note down the refresh_token and .expires. I then hit the endpoint /api/v1/sessions every minute and it works fine coming back with HTTP 200.
Once I've seen the current time has passed the .expires (which was 15 minutes in my testing) I send a new token request with grant_type=refresh_token and I set the field refresh_token to the refresh_token I obtained from the first login request. I get back a new access_token and now pass this in all new requests. However as soon as I use this new access_token and hit my endpoint I was using earlier /api/v1/sessions I will get back 403 Forbidden with no body.

[oleg.feoktistov]

Sorry for being off the radar, but I managed to check your issue now. Couldn't reproduce it, though. Please contact our support, provide them with logs and share case id here so that we could monitor it. Thanks!

[Cragdoo]

FYI , I have access to VBR v12 beta 2 and have installed the latest release of Squared Up and my initial testing seems to indicate this issue no longer occurs. I'll continue to do more testing, but this is good news so far ...

[Cragdoo]

worth pointing out, I am still seeing the issue with my vbr v11a installation and the latest version of Squared UP (5.5), something changed in VBR v12 beta 2? If I remember beta 1 also had the issue

[oleg.feoktistov]

Nothing has changed, I have been testing this issue since it was reported last year. The last time I managed to reproduce it was v11 patched. No such issue happened since then during my tests. Regarding v11a - please create a support case and provide our engineers with fidler logs. Thanks!


P.S. A note from developers - it would help if you let us know the file hash for restapi service in the support case. You can calculate it using native powershell cmdlet.