2

I have integrated a Git-Lab OAuth app in my web-app. Users authenticate this OAuth app and give access to their Git-Lab repositories through the Access Token. Once a user connects his repositories with my web-app , my web app saves the refresh token and access token in the DB and a cron job runs every 2 hours to refresh the tokens so that It never loses the connection to the connected repositories. (GitLab access token expires after 2 hours).

Here is the Git-Lab API URL which my cron job hits to refresh the tokens.

https://gitlab.com/oauth/token?client_id={}&client_secret={}&refresh_token={}&grant_type=refresh_token&redirect_uri={}

Now this cron job to refresh the tokens was running perfectly since more than a week, and suddenly it failed to refresh the tokens and hence I have lost the connection to user repositories. The error message received from GitLab API is as follows

The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

This job was running fine since a week, so all provided parameters to the Git-Lab API URL seems fine to me. e.g. client_id, client_secret, refresh_token ,redirect_uri etc.

What can be the possible reason of these token expiration. I have lost the connection to user repositories and the only choice I am left with is to go back to user and ask them to reconnect their repositories by re authenticating the OAuth App.

Can it be the reason that my cron job was running too often (12 times a day ) and refreshing the tokens at a high frequency Or may be if the Access token was still valid and a try to refresh that token caused this issue. ?

No, I can hit the API to refresh token as many times as I want, I could hit it 100 times in few seconds and got my tokens refreshed 100 times.

I also used the access to token to pull a repository , then updated the tokens and again used the previous access token (expired) to pull the repository, this time it failed to pull the repository for obvious reason (token has expired) , and then I updated my tokens again. I can successfully update my tokens all the time.

That means using an expired token to pull the repository is not the reason for tokens expiration

I need to know the real cause which has expired my tokens.

I need to emphasize on that my Refresh Token has expired and I can no longer refresh my tokens.

I have read through the GitLab API docs and haven't found any clue of the reason why my token got expired.

umer
  • 1,196
  • 1
  • 14
  • 33

3 Answers3

1

It seems like you tried to use a token that has been refreshed. That is, between the time you pulled the token value and used it, the refresh occurred, which immediately invalidated the token you were trying to use.

my web app saves the refresh token and access token in the DB and a cron job runs every 2 hours

Don't do this. In general, you should not be periodically refreshing these tokens because you will invalidate the active token, nor is there any real reason you should need to do so.

Just refresh the token at the moment when you actually need to use them if the token is expired. Even though the access token may expire, the refresh token can still be used after the access token itself expires -- that's what the refresh token is for, after all.

sytech
  • 29,298
  • 3
  • 45
  • 86
  • 1
    I don't really get your point. I have updated my question. I need to figure out the actual reason why my token got expired – umer Aug 23 '22 at 14:29
0

Please check that your service waits enough time for a response from GitLab(may be reasonable to increase timeout) and doesn't have retry logic - the refresh token could be used only once.

Stas Onichak
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Nov 15 '22 at 07:09
0

Depending on the resource owner (Gitlab, etc.), there are various reasons why a refresh_token could have become invalidated.

A few to note:

  • Your integration was reauthorized, invalidating any existing access_tokens and refresh_tokens
  • If a new access_token is generated, both the previous access_token and refresh_token will become invalid.
  • If the integration was deauthorized by an end user or token revoked programmatically (not sure if Gitlab offers this)

You might also find some of the tips in this OAuth Troubleshooting Guide helpful.

Will Bishop
  • 11
  • 1
  • If a new access_token is generated, both the previous access_token and refresh_token will become invalid: according to my test, generating a new access_token doesn't invalidate the previous tokens in gitlab... – Brainless Apr 18 '23 at 16:38