Refresh token not refreshing post 8-10 hrs
Hi,
We are working on a module and we have found that the tokens are not refreshing after 8 hrs which is causing out pipeline failure and hampering our deployments.
We need to understand why is this happening.
Thanks.
For direct approach feel free to approach us at-
radhika_edlabadkar@persistent.com
Comments
-
@Manoj Bhosale
auth token is only available for 60 minutesrefresh token is good for 365 days.
auth token is used for making SKY API calls, refresh token is used to get new auth token.
are you talking about your refresh token is not allowing you to get new auth token after 8-10hrs?
I have a scheduled task that refresh my auth token using refresh token every 59 minutes, and it has been running for more than 1 year now no issue (except when BB server had issue).
0 -
@Alex Wong
Yes, refresh token get expired after 7-8 hours and not able to generate new access token. Let me provide you more detail. We have 5 flows each has different set of token pair generated with different client application but with similar account/user.Is there any possibility refresh token revoked due to one user has multiple client applications and trying to refresh token and conflicting leads to refresh token revocation ?
Can preserve refresh token approach help here ?
0 -
@Manoj Bhosale
I don't believe multiple set of auth token/refresh token is a problem. @Erik Leaver @Ben Wong maybe able to provide some additional lightHowever, I don't use this model. I have 1 set of auth token/refresh token set. This one set of token is stored confidentially in a safe location on SharePoint, which a separete automation run a refresh every 59 minutes, this refresh will push out the refresh expire date and store the auth token. Before any other automation may use the auth token stored, it will check the “expiration” date first (which is also stored when refresh happens) and if expired, will call the refresh automation to do a refresh first. This is to ensure that refresh automation may have a glich and failed to do refresh
0 -
Thanks for the tag and providing great directions, @Alex Wong. @Manoj Bhosale if you have multiple concurrent processes that are performing the OAuth 2.0 flow, then it's likely that you're invalidating the refresh tokens when the first one is used. Preserving the refresh token should help with this but you should be rotating the refresh token regularly (daily, weekly, monthly) otherwise you run the risk of it expiring after 365 days.
Hope that helps!
0 -
Thank you for response @Ben Wong
Could you please take a look on below queries.
If concurrent oAuth flow cause invalid refresh token,
- how it works for 7-8 hours and then started failing?
- What are the options to achieve 5 flows works with different set of tokens and prevent refresh token become invalid. Because in our use case 5 flows can run concurrently and we have separate module for each to maintain token specific to flow. This is the reason we are using different set of token pairs so refreshing token for one flow do not impact on another flow. But looks this approach is not helping here.
Could you help.
0 -
Thanks for response @Alex Wong
Posted couple of questions here, if you have any inputs please suggest0 -
@Manoj Bhosale
“prevent refresh token become invalid.” Not when you are issued a new refresh token and have the old token revoked https://datatracker.ietf.org/doc/html/rfc6749#section-6The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.
The fact that it's happening after 7-8 hours, makes it seem like a collision during refresh or some cumulative effect. How are you storing the tokens (shared database, separate files, etc.)? Do all 5 processes refresh around the same time when their 60-minute access tokens expire?
If you are developing in React you can use mutex's async concurrent token renewal processes. I personally use python where I designate one process as the token manager that all other applications connect through.0 -
@Manoj Bhosale If you have separate flows happening, with 5 different refresh tokens, then you don't need to preserve the refresh token since each token will have it's own expiration and each can be rotated without affecting the other.
Here are some common issues with authorization that you can check out:0 -
@Manoj Bhosale
why use 5 sets of auth token/refresh token? why not all process uses same set of auth/refresh token?0
Categories
- All Categories
- 6 Blackbaud Community Help
- 206 bbcon®
- 1.4K Blackbaud Altru®
- 394 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 1.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- 15 donorCentrics®
- 357 Blackbaud eTapestry®
- 2.5K Blackbaud Financial Edge NXT®
- 646 Blackbaud Grantmaking™
- 561 Blackbaud Education Management Solutions for Higher Education
- 3.2K Blackbaud Education Management Solutions for K-12 Schools
- 934 Blackbaud Luminate Online® and Blackbaud TeamRaiser®
- 84 JustGiving® from Blackbaud®
- 6.4K Blackbaud Raiser's Edge NXT®
- 3.6K SKY Developer
- 242 ResearchPoint™
- 118 Blackbaud Tuition Management™
- 165 Organizational Best Practices
- 238 The Tap (Just for Fun)
- 33 Blackbaud Community Challenges
- 28 PowerUp Challenges
- 3 (Open) Raiser's Edge NXT PowerUp Challenge: Product Update Briefing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports+
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Email Marketing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Gift Management
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Event Management
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Home Page
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Query
- 778 Community News
- 2.9K Jobs Board
- 53 Blackbaud SKY® Reporting Announcements
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)