Google Oauth returns an error after access token expires about cumulus HOT 13 CLOSED

Interestingly, I'm hitting the 401 error on my first attempt to log in to the dashboard via Google. Perhaps I have something misconfigured, so let me dive into this a bit deeper and see what I find.

from cumulus.

I spent a bit more time on this and confirmed the behavior you are experiencing. It looks like the internet confirms it as well.

However, that SO post suggests another possible solution: adding a parameter of prompt with a value of consent to the authorization URL. This will cause authorization with Google to always return a refreshToken. The downside is that it will also ask you to re-authorize the app every time you login. I tested this solution locally and it seemed to resolve the issue as well.

There might be some minor annoyance to authorizing the app every time you login via Google, but just to be clear it is not asking you to re-authenticate (re-enter your username/password) every time. You just have to re-click your account name to authorize it for login:

I'm also somewhat hesitant about removing the refreshToken as a required field in the schema, because for Earthdata login it is necessary to support automatic session refreshes. So If we removed it as a required field and had some future regression where refreshTokens were not returned for EDL, then session refreshes would ultimately fail, but we wouldn't get the same immediate feedback from the schema failure on login.

I'm inclined towards the prompt=consent as the solution here. What do you think?

cc @yjpa7145 - Do you have any thoughts on the preferred solution here?

from cumulus.

yeah, I veered towards the schema solution mostly because I saw it as a bit of a nuisance for the auth prompt every time from a UX perspective. that said, you make a fair argument, especially considering Earthdata is the larger use case here and i wouldn't consider getting prompted again a dealbreaker, especially given that it errors at the moment

another consideration is how oauth providers other than google handle a similar situation, though I'm generally not familiar with the technicalities of the standard. perhaps that could help make an argument one way or another. i can try to dig a little on that if it's a worthwhile consideration

from cumulus.

I'm also somewhat hesitant about removing the refreshToken as a required field in the schema, because for Earthdata login it is necessary to support automatic session refreshes. So If we removed it as a required field and had some future regression where refreshTokens were not returned for EDL, then session refreshes would ultimately fail, but we wouldn't get the same immediate feedback from the schema failure on login.

If there are going to be cases where an access token does not have a refresh token, I don't have a problem with making that an optional field. If the concern is that Earthdata Login could change and not send a refresh token back, we could always add an explicit check here:

from cumulus.

@colbyfayock Are you using the Cumulus Dashboard when this is happening?

from cumulus.

@yjpa7145 yup - cumulus dashboard

from cumulus.

OK. I'm fine to go with dropping refreshToken as a required field and adding more strict checks for Earthdata login if necessary.

@colbyfayock - Our integration tests still don't run correctly on forked PRs, which blocks the PR from getting merged. So I'm going to copy your changes into another branch I create, submit a PR from that branch, and close your PR. I'm sorry, I know this is a non-ideal workflow.

from cumulus.

@markdboyd no worries, I saw that part in the contrib guide so was expecting it :) thanks for the heads up

from cumulus.

thanks @markdboyd - any idea when i can expect this in a release available via npm?

from cumulus.

We don't have a release date for the next release yet.

What is your use case for Cumulus? Is this a major blocker for you?

from cumulus.

We're using it for a data processing pipeline. Not a major blocker at the moment.

from cumulus.

@colbyfayock This has been released in 1.11.3

from cumulus.

@laurenfrederick awesome, thanks for the heads up 🙌

from cumulus.