RESTful knowledge exchange
Post Reply
paul.watson.su
Novice
Posts: 6
Liked: 1 time
Joined: Jun 11, 2021 9:22 am
Full Name: Paul Watson
Contact:

How to handle the refresh token

Post by paul.watson.su » 1 person likes this post

Hi,

I'm using the REST API, I get an initial token using my username and password which works fine and gives me back a refresh token.

Request (secrets replaced with "value")

Code: Select all

client_id=&client_secret=&grant_type=password&username=value&password=value
Response (secrets replaced with "value")

Code: Select all

{
    "access_token": "value",
    "token_type": "bearer",
    "refresh_token": "value",
    "expires_in": 900,
    ".issued": "2021-06-11T15:30:14+01:00",
    ".expires": "2021-06-11T15:45:14+01:00"
}
Which I can then proceed to use fine. I then get a refresh token which comes back OK

Request (secrets replaced with "value")

Code: Select all

grant_type=refresh_token&refresh_token=value
Response (secrets replaced with "value")

Code: Select all

{
    "access_token": "value",
    "token_type": "bearer",
    "refresh_token": "value",
    "expires_in": 900,
    ".issued": "2021-06-11T15:34:06+01:00",
    ".expires": "2021-06-11T15:49:06+01:00"
}
Then when I hit any endpoint that requires authorisation I get back a HTTP 403 Forbidden response with no body or further details. Could someone advise me what I'm doing wrong? It sounds like I'm losing permissions in my refresh token.

I've also tried using /authorization_code and then refetching my initial token using the given authorization code with grant_type=authorization_code however this always fail with HTTP 401 Unauthorized.

Thank you in advance

oleg.feoktistov
Veeam Software
Posts: 1496
Liked: 494 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to handle the refresh token

Post by oleg.feoktistov »

Hi Paul,

I tested it in my lab and had no issues entering resource endpoints using access token re-generated with refresh token.
Might it be the case that you are trying to utilize refresh token instead of access token to query endpoints, which require authorization?

As for authorization code, it is a known bug, which we are planning to fix in vNext.

Thanks,
Oleg

paul.watson.su
Novice
Posts: 6
Liked: 1 time
Joined: Jun 11, 2021 9:22 am
Full Name: Paul Watson
Contact:

Re: How to handle the refresh token

Post by paul.watson.su »

Hi Oleg,

Looking at my logs I can confirm I was using the new access token given to me after trading in my refresh token on future requests.
The access token goes back into header of my requests as

Code: Select all

Authorization: Bearer eyJhbGciO...
On a possible side note I went to recreate it to double check however I'm seeing a different issue. I get my initial access token with username and password which works fine and I'm able to make queries. When I authorise the refresh token the first response from the oauth2/token endpoint comes back

Code: Select all

{
    "errorCode": "AccessDenied",
    "message": "The user name or password is incorrect.\r\n",
    "resourceId": null
}
And any subsequent requests come back

Code: Select all

{
    "errorCode": "AccessDenied",
    "message": "Token [153d14e9-8c7a-47ec-8fcc-beadc98dc335] with expiration date [29/06/2021 10:02:26] is invalid",
    "resourceId": null
}
Which confuses me as I was able to initially log in with username and password fine

Thanks again

oleg.feoktistov
Veeam Software
Posts: 1496
Liked: 494 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to handle the refresh token

Post by oleg.feoktistov »

Hi Paul,

Do you have any cumulative patches installed on VBR? I patched my server and can see some issues with refresh token now, but they differ from yours. So, I'm trying to figure out where it could go wrong.

Thanks,
Oleg

paul.watson.su
Novice
Posts: 6
Liked: 1 time
Joined: Jun 11, 2021 9:22 am
Full Name: Paul Watson
Contact:

Re: How to handle the refresh token

Post by paul.watson.su »

Hi Oleg,

I don't believe so. From what I understand we have version 11 but doing a 'Check for updates' doesn't report anything back.
I don't administer the Veeam instance myself but can get more information from the right people if needed.

Thanks,
Paul

Cragdoo
Veeam Vanguard
Posts: 610
Liked: 248 times
Joined: Sep 27, 2011 12:17 pm
Full Name: Craig Dalrymple
Location: Scotland
Contact:

Re: How to handle the refresh token

Post by Cragdoo » 1 person likes this post

Hi Paul

https://www.veeam.com/kb4126

for the patch releases

oleg.feoktistov
Veeam Software
Posts: 1496
Liked: 494 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to handle the refresh token

Post by oleg.feoktistov »

Confirmed that refresh token doesn't work in both v11 GA or patched. Raised this question with QA. Will keep you posted. Thanks!

oleg.feoktistov
Veeam Software
Posts: 1496
Liked: 494 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to handle the refresh token

Post by oleg.feoktistov »

Discussed this issue with QA, and they confirmed it as a bug. The fixed is planned for vNext. Thanks!

paul.watson.su
Novice
Posts: 6
Liked: 1 time
Joined: Jun 11, 2021 9:22 am
Full Name: Paul Watson
Contact:

Re: How to handle the refresh token

Post by paul.watson.su »

Thank you Oleg for taking the time to look into this

Cragdoo
Veeam Vanguard
Posts: 610
Liked: 248 times
Joined: Sep 27, 2011 12:17 pm
Full Name: Craig Dalrymple
Location: Scotland
Contact:

Re: How to handle the refresh token

Post by Cragdoo »

Is this issue addressed in v11a release?

oleg.feoktistov
Veeam Software
Posts: 1496
Liked: 494 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to handle the refresh token

Post by oleg.feoktistov »

It is, along with the authorization code 401 error also mentioned in this thread. Thanks!

Cragdoo
Veeam Vanguard
Posts: 610
Liked: 248 times
Joined: Sep 27, 2011 12:17 pm
Full Name: Craig Dalrymple
Location: Scotland
Contact:

Re: How to handle the refresh token

Post by Cragdoo »

Upgraded to 11.0.1.1261 build .......but looks like the 403 error still happening. Doing a little more testing, and will report back

oleg.feoktistov
Veeam Software
Posts: 1496
Liked: 494 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to handle the refresh token

Post by oleg.feoktistov »

Re-checked this in my lab with 11a just in case, but couldn't see the same issue. Will be awaiting your feedback. Thanks!

paul.watson.su
Novice
Posts: 6
Liked: 1 time
Joined: Jun 11, 2021 9:22 am
Full Name: Paul Watson
Contact:

Re: How to handle the refresh token

Post by paul.watson.su »

I have tested this against 11.0.1.1261 and can confirm the issue still remains.

If I authorise oauth via password it works fine, I then wait 15 minutes and wait for a refresh token to appear then attempt to use Veeam endpoints again I get a 403 back.

If needed I can provide a Fiddler log.

oleg.feoktistov
Veeam Software
Posts: 1496
Liked: 494 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to handle the refresh token

Post by oleg.feoktistov »

Hi Paul,
I then wait 15 minutes and wait for a refresh token to appear
I don't quite understand which steps you did here. Could you please elaborate?
Did you login, cache refresh token somewhere, get a new one after 15 minutes of api session idling and then try to send request to some endpoint using new refresh token? Or was it something else that you did?

Thanks,
Oleg

paul.watson.su
Novice
Posts: 6
Liked: 1 time
Joined: Jun 11, 2021 9:22 am
Full Name: Paul Watson
Contact:

Re: How to handle the refresh token

Post by paul.watson.su »

I login initially with grant_type=password from who's response I note down the refresh_token and .expires. I then hit the endpoint /api/v1/sessions every minute and it works fine coming back with HTTP 200.
Once I've seen the current time has passed the .expires (which was 15 minutes in my testing) I send a new token request with grant_type=refresh_token and I set the field refresh_token to the refresh_token I obtained from the first login request. I get back a new access_token and now pass this in all new requests. However as soon as I use this new access_token and hit my endpoint I was using earlier /api/v1/sessions I will get back 403 Forbidden with no body.

oleg.feoktistov
Veeam Software
Posts: 1496
Liked: 494 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to handle the refresh token

Post by oleg.feoktistov »

Sorry for being off the radar, but I managed to check your issue now. Couldn't reproduce it, though. Please contact our support, provide them with logs and share case id here so that we could monitor it. Thanks!

Cragdoo
Veeam Vanguard
Posts: 610
Liked: 248 times
Joined: Sep 27, 2011 12:17 pm
Full Name: Craig Dalrymple
Location: Scotland
Contact:

Re: How to handle the refresh token

Post by Cragdoo » 1 person likes this post

FYI , I have access to VBR v12 beta 2 and have installed the latest release of Squared Up and my initial testing seems to indicate this issue no longer occurs. I'll continue to do more testing, but this is good news so far ...

Cragdoo
Veeam Vanguard
Posts: 610
Liked: 248 times
Joined: Sep 27, 2011 12:17 pm
Full Name: Craig Dalrymple
Location: Scotland
Contact:

Re: How to handle the refresh token

Post by Cragdoo »

worth pointing out, I am still seeing the issue with my vbr v11a installation and the latest version of Squared UP (5.5), something changed in VBR v12 beta 2? If I remember beta 1 also had the issue

oleg.feoktistov
Veeam Software
Posts: 1496
Liked: 494 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: How to handle the refresh token

Post by oleg.feoktistov »

Nothing has changed, I have been testing this issue since it was reported last year. The last time I managed to reproduce it was v11 patched. No such issue happened since then during my tests. Regarding v11a - please create a support case and provide our engineers with fidler logs. Thanks!


P.S. A note from developers - it would help if you let us know the file hash for restapi service in the support case. You can calculate it using native powershell cmdlet.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest