Token expiration and the token verification API

ssteiner · October 5, 2023, 3:04pm

Since the client grant doesn't support transparent reauthentication of a token has expired, I'm looking into handling it myself. I currently get tokens that are valid 24h. Is there a way to invalidate a token, so the next API request would act as if a token has expired normally? I was looking at the token API, and called

DELETE /api/v2/tokens/me

In my test, the next operation I'm running is HEAD /api/v2/tokens. It thrown an ApiException as expected, but it has an empty ErrorContent.

When I run any other operation, even on the tokens API (e.g. GET /api/v2/tokens/me), I'm getting something along these lines as ErrorContent

{"message":"No authentication bearer token specified in authorization header.","code":"authentication.required","status":401,"contextId":"461652bf-89b0-4db6-9d99-32bf0fb36577","details":[],"errors":[]}

If I modify the access token, I'm getting the same behavior. Why is there no structured error from the token verification API?

tim.smith · October 5, 2023, 3:31pm

Your app should just look for a 401 response from any API request. All endpoints (that require authorization) will return a 401 when the auth token isn't valid for any reason. Expired tokens, malformed tokens, and missing tokens are all treated the same: 401 unauthorized.

Only successful responses are deserialized in the SDKs. You can use the extended variety of the functions to inspect the raw response body and deserialize it to ErrorBody. In your case, the function would be HeadTokensMeWithHttpInfo().

ssteiner · October 5, 2023, 3:39pm

Should the HeadTokensMe also return a 401? it does on the network layer, but on the exception there's no indication it's a 401.

tim.smith · October 5, 2023, 3:45pm

If you're not using the extended functions, look at the ErrorCode property on the ApiException to get the status code.

ssteiner · October 5, 2023, 4:57pm

that's just it.. for HEAD /api/v2/tokens/me, there's no response. Here's the raw response from the wire.

HTTP/1.1 401 Unauthorized
Content-Type: application/json
Content-Length: 201
Connection: keep-alive
Date: Thu, 05 Oct 2023 16:53:31 GMT
ININ-Correlation-Id: ad20d32b-e062-41e1-bcc5-cc5484569b02
Strict-Transport-Security: max-age=600; includeSubDomains
Cache-Control: no-cache, no-store, must-revalidate
X-Cache: Error from cloudfront
Via: 1.1 49039a44484a184312d8f608c205b640.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: ZRH55-P1
X-Amz-Cf-Id: bmFOmGM3Ir4YXfKCIJe7t2IkS7kteUUwuB6oQ0ddzSWqVniaIt6JwQ==

There's no body, just headers. So regardless of whether you call HeadTokensMe' or 'HeadTokensMeWithHttpInfo', if you have no or an invalid token, the ApiException's ErrorContent` will be empty

tim.smith · October 5, 2023, 4:58pm

Can I ask what problem you're having? You shouldn't need anything other than the HTTP status code to identify a 401 response.

ssteiner · October 5, 2023, 5:03pm

Ugh.. I must be needing a break. I mixed up ErrorCode and ErrorContent. ErrorCode indeed contains the 401 even on the HEAD API call.

tim.smith · October 5, 2023, 5:05pm

Haha no worries. Let this serve as an official Developer's Note you can give to your boss to take some PTO. The weekend is almost here!

system · November 5, 2023, 5:06pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.