Auth token expiring?

jonhilt1 · July 28, 2023, 9:31am

I have…

[x] Read the following guideline: https://docs.squidex.io/01-getting-started/installation/troubleshooting-and-support. I understand that my support request might get deleted if I do not follow the guideline.
[ x Used code blocks with ``` to format my code examples like JSON or logs properly.

I’m submitting a…

[x] Regression (a behavior that stopped working in a new release)
[ ] Bug report
[ ] Performance issue
[ ] Documentation issue or request

Current behavior

I have a “middle man” between my app and squidex (using YARP in a .NET backend) which takes care of retrieving auth tokens for interacting with the Squidex API.

Today I noticed that I was getting 401 errors, and it seems an Squidex auth token that was working, stopped working (it hasn’t expired).

I have logic to get a new token when the old one expires, so it isn’t that it’s expired, it just seems to have stopped working.

Not sure if this is related, but I’ve noticed I’ve been prompted to log in when going to https://cloud.squidex.io/ today (on more than one occasion).

Expected behavior

The auth tokens continue to work until they expire.

Minimal reproduction of the problem

Not sure how to reproduce this one. I’ll keep an eye on it here, add some logging to my api to see if I can get something useful for debugging purposes.

Environment

App Name:

[ ] Self hosted with docker
[ ] Self hosted with IIS
[ ] Self hosted with other version
[x] Cloud version

Sebastian · July 28, 2023, 9:34am

Me too and I am not sure why it happened tbh. But in general you should not trust a token. Lets say we are hacked and have to deploy a fix with new private keys, then all token would become invalid.

jonhilt1 · July 28, 2023, 9:36am

OK, am I better to just request a new token for every call instead?

I implemented caching just to save making that additional request for every graphql call, but happy to try a different approach.

Here’s what I’m currently doing…

    public async ValueTask<string> GetToken()
    {
        if (_token == null || _expiry.BeforeOrEqualTo(DateTime.UtcNow))
        {
            _token = await RequestNewToken();
            _expiry = DateTime.UtcNow.AddSeconds(_token.expires_in);
            return _token.access_token;
        }

        return _token.access_token;
    }

Sebastian · July 28, 2023, 9:37am

No, this would kill performance. This is how I solve it in the SDK: https://github.com/Squidex/squidex-samples/blob/master/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/Utils/AuthenticatingHttpMessageHandler.cs

jonhilt1 · July 28, 2023, 9:39am

Got it, so try using the token, if it fails get a new one and try again (essentially)?

Sebastian · July 28, 2023, 4:55pm

Yes. I guess you could use this part of the SDK, if you want. There is also a method CreateClient() or so on the ISquidexClient class. Then you get a raw HttpClient with authentication and you could use that to implement your reverse proxy. Not sure if it helps with YARP.

jonhilt1 · July 31, 2023, 1:05pm

Thanks,

This actually made me realise YARP was a bit overkill for what I’m doing here, so I just wrote a little bit of code to handle it myself, and adopted a similar approach as in the example you shared, to fetch a new token if the old one stops working for any reason.

Thanks for the nudge in the right direction

Sebastian · July 31, 2023, 1:07pm

I have also built a simple proxy in node:

github.com

Squidex/squidex-samples/blob/master/node/proxy/app.ts

import axios, { AxiosResponse } from 'axios';
import express from 'express';
import qs from 'qs';
import { addToCache, computeCacheKey, getFromCache, purgeBySurrogateKey } from './cache';
import config from './config';
import morgan from 'morgan';

const app = express();

let token: string | null = '';

async function acquireToken() {
    if (token) {
        return token;
    }

    try {
        const response = await axios.post(`${config.squidex.url}/identity-server/connect/token`, qs.stringify({
            grant_type: 'client_credentials',
            client_id: config.squidex.clientId,

This file has been truncated. show original

Just for demo purposes.

Gideon_van_der_Merwe · August 7, 2023, 12:39pm

@Sebastian
I am having the exact same issue.

We request new tokens when the old expired, however, we get 401 responses back.

It was working fine till about a week or 2 ago.

We are using the cloud version of Squidex.

When we open an ingocnito window and clear application caches, it works fine, however, if we use a token that was issued before, but has not expired yet, it fails.

Is there anything we can do?

Gideon_van_der_Merwe · August 7, 2023, 12:43pm

Should we perhaps create a new client instead of using the old client that we used before?

Sebastian · August 7, 2023, 12:51pm

I can only give the same answer as above…

Gideon_van_der_Merwe · August 7, 2023, 2:34pm

Ok thanks @Sebastian, I added a second check that, even if the token is not expired yet, if it comes back with a 401 status, then I ask for a new token again.

This seems to work.

Thanks