Why is Doorkeeper returning expired authorization codes?

[theycallmeswift]

I've got an OAuth API using Doorkeeper 3.1.0. For a small number of users (~5%) when they request an authorization code, the API is returning an expired or revoked code.

For example, here's a line from today's server logs (2016-09-17):

2016-09-17T19:36:30.032406+00:00 heroku[router]: at=info method=GET path="/callback?code=e2a96d3d24621b22d11f5feae2b2234630a1785cc61f6e7391579e203d74c3b1"

When I look at that token in the database, I see that it was created yesterday and revoked yesterday as well:

#<Doorkeeper::AccessGrant id: 57260, resource_owner_id: 22196, application_id: 174, token: "e2a96d3d24621b22d11f5feae2b2234630a1785cc61f6e7391...", expires_in: 600, redirect_uri: "https://example.com/callback", created_at: "2016-09-16 23:53:05", revoked_at: "2016-09-16 23:53:06", scopes: "profile contact events">

Why would doorkeeper send users an expired or revoked token?

[heavysixer]

We are seeing the same problem.

I believe the root of the problem is probably here:

doorkeeper/lib/doorkeeper/models/access_token_mixin.rb

Line 88 in ddcf2ed

def last_authorized_token_for(application_id, resource_owner_id)

More than likely it should check to ensure the token is not already expired before returning it.

[theycallmeswift]

Is there a reason that method isn't using the find_or_create_for method right above it?

doorkeeper/lib/doorkeeper/models/access_token_mixin.rb

Line 71 in ddcf2ed

def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)

[heavysixer]

@theycallmeswift it actually starts there and then eventually winds up at the method i pointed out I believe.

For us it goes find_or_create_for -> matching_token_for -> last_authorized_token_for -> find_by

[theycallmeswift]

@heavysixer are you seeing this with access tokens or auth codes? We're seeing it for auth codes which uses a different mixin.

[heavysixer]

@theycallmeswift Doorkeeper is returning expired oauth_access_tokens from that table. I think that means that they are access_tokens.

[theycallmeswift]

@heavysixer yeah, sounds like we're encountering different issues then. My issue is related to Authorization Codes being expired. May be connected somehow though.

[nbulaj]

Hi @theycallmeswift . Have you try to update Doorkeeper to a newer version?

I take a look to the Doorkeeper::AuthorizationsController. If I understand you correctly, the problem is expired AccessGrant, so your OAuth stack uses Doorkeeper::OAuth::CodeRequest strategy. And it is always creates a new Grant record (only if @token is not already set - maybe the problem is hiding here?), even in 3.1.0 version. So I could not understand how it could be...

Could you debug the Doorkeeper code? Or maybe provide more details about yours.

[nbulaj]

Hi @theycallmeswift. Any news here? last_authorized_token_for related to AccessToken model, AccessGrant's issued in Doorkeeper::OAuth::Authorization::Code, where it can't be expired or revoked.

[nbulaj]

Hi @theycallmeswift . Can you please clarify what request was invoked and returned expired code? Maybe you can provide some additional info?

[theycallmeswift]

@nbulaj at this point, I don't have any additional info to provide. This intermittent issue still persists but has proven impossible for me to recreate. Please let me know if there are any specific queries or steps I can take that would be helpful

[nbulaj]

It seems like a stale issue. Without steps to reproduce we can't fix it. So currently I need to close the issue, but feel free to reopen it if some additional details will be available.