If a user logs in with refresh tokens, then revokes user consent to make them inert, native login will get stuck in a bad state. It will attempt to refresh the access token with the bad refresh token, but won't handle the invalid refresh token grant. This can also cause logout to not work properly if the caller is checking whether tokens are active by attempting to load them, due to the wrong exception being thrown (globus_sdk.exc.AuthAPIError
instead of TokensExpired
).
I'm not sure if this is a problem with how pilot is calling into the native client, or if native client needs to be smarter in not assuming refresh tokens are valid. Probably both. I'll open an issue in both places just in case.
(exalearn) Firefly:scripts nick$ pilot logout
Traceback (most recent call last):
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/fair_research_login/client.py", line 134, in load_tokens
check_expired(tokens)
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/fair_research_login/token_storage/storage_tools.py", line 12, in check_expired
raise TokensExpired(resource_servers=expired)
fair_research_login.exc.TokensExpired: auth.globus.org, petrel_https_server, search.api.globus.org, transfer.api.globus.org
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/nick/anaconda3/envs/exalearn/bin/pilot", line 11, in <module>
load_entry_point('pilot1-tools==0.3.1.dev0', 'console_scripts', 'pilot')()
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/click/core.py", line 764, in __call__
return self.main(*args, **kwargs)
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/click/core.py", line 1134, in invoke
Command.invoke(self, ctx)
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/click/decorators.py", line 17, in new_func
return f(get_current_context(), *args, **kwargs)
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/pilot1_tools-0.3.1.dev0-py3.7.egg/pilot/commands/main.py", line 30, in cli
if pc.is_logged_in():
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/pilot1_tools-0.3.1.dev0-py3.7.egg/pilot/client.py", line 48, in is_logged_in
self.load_tokens()
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/fair_research_login/client.py", line 139, in load_tokens
tokens.update(self.refresh_tokens(expired))
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/fair_research_login/client.py", line 158, in refresh_tokens
authorizer.check_expiration_time()
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/globus_sdk/authorizers/renewing.py", line 170, in check_expiration_time
self._get_new_access_token()
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/globus_sdk/authorizers/renewing.py", line 134, in _get_new_access_token
res = self._get_token_response()
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/globus_sdk/authorizers/refresh_token.py", line 84, in _get_token_response
return self.auth_client.oauth2_refresh_token(self.refresh_token)
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/globus_sdk/auth/client_types/native_client.py", line 136, in oauth2_refresh_token
return self.oauth2_token(form_data)
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/globus_sdk/auth/client_types/base.py", line 400, in oauth2_token
"/v2/oauth2/token", response_class=response_class, text_body=form_data
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/globus_sdk/base.py", line 288, in post
retry_401=retry_401,
File "/Users/nick/anaconda3/envs/exalearn/lib/python3.7/site-packages/globus_sdk/base.py", line 553, in _request
raise self.error_class(r)
globus_sdk.exc.AuthAPIError: (400, 'Error', 'invalid_grant')