Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of 401 when token is expired in iOS client #89

Closed
jesmrec opened this issue Oct 5, 2017 · 5 comments
Closed

Lack of 401 when token is expired in iOS client #89

jesmrec opened this issue Oct 5, 2017 · 5 comments
Labels
bug

Comments

@jesmrec
Copy link

jesmrec commented Oct 5, 2017
edited by nasli
Loading

I have noticed this (weird) behaviour with mobile clients using OAuth2, specific in iOS:

When the access token is expired (checking time in DB) and client sends a request, a lack of authorization must be responsed in order to request a new token by using the refresh token. Server v10.0.3 is responsing 200 to the iOS client after token expiration, so the token is never renewed.

Android client, using the same server instance, is being responsed 401 when token expires, as expected.

Version 10.0.3beta works properly in both Android and iOS, so maybe something wrong in the way from 10.0.3beta to 10.0.3.

Example:

Token request in authorization stage:

2017-10-05 12:58:31
POST https://<my_server>/index.php/apps/oauth2/api/v1/token

Server JSON response:

{ "access_token": "6mAKKwcsf4qnZt6qGGPu2GhRmcu4J8lEGPHEbGOIfN0Ge2d994zGCantzStLWMly", "expires_in": 150, "message_url": "https://<my_server>/index.php/apps/oauth2/authorization-successful", "refresh_token": "kfirlcLzxb3Hm0iiSVL6pao7FqvqE6BMZV29AfDpH5EQHuneRFxvY3iEuFq3HZI0", "token_type": "Bearer", "user_id": "user1" }

150 seconds of life from 12:58:31 , that means it is expired at 13:01 aprox.

After waiting...

2017-10-05 13:02:29 GET https://<my_server>/ocs/v1.php/apps/files_sharing/api/v1/shares?path=&subfiles=true <- 200 OK text/xml 109b 188ms
`Authorization: Bearer 6mAKKwcsf4qnZt6qGGPu2GhRmcu4J8lEGPHEbGOIfN0Ge2d994zGCantzStLWMly´

2017-10-05 13:03:22 GET https://<my_server>/remote.php/webdav/ownCloud%20Manual.pdf <- 200 OK application/pdf 4m 2.29s
Authorization: Bearer 6mAKKwcsf4qnZt6qGGPu2GhRmcu4J8lEGPHEbGOIfN0Ge2d994zGCantzStLWMly

over a server
{"installed":"true","maintenance":"false","needsDbUpgrade":"false","version":"10.0.3.3","versionstring":"10.0.3","productname":"ownCloud"}

CC @DeepDiver1975 @nasli @michaelstingl

related owncloud/core#28707
@DeepDiver1975
Copy link
Member

I assume this is because the session cookie is transmitted as well and the token is not reevaluated. There is an open issue afaik

@jesmrec
Copy link
Author

jesmrec commented Oct 5, 2017

link?

@DeepDiver1975
Copy link
Member

owncloud/core#28733

@nasli nasli mentioned this issue Oct 31, 2017
Merged
110 tasks
@jesmrec jesmrec removed the p1-urgent label Nov 24, 2017
@SamuAlfageme SamuAlfageme mentioned this issue Nov 30, 2017
Closed
8 tasks
@SamuAlfageme
Copy link
Contributor

I'm assuming this one could be closed in favor of the more updated #103 - @jesmrec correct me if I'm wrong

@jesmrec
Copy link
Author

jesmrec commented Feb 12, 2018

you are right. closing

@jesmrec jesmrec closed this as completed Feb 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DeepDiver1975 @SamuAlfageme @jesmrec