We have experienced a sequence of token refresh failures across our environments over the last week.
All environment share the same account, someone manually has to log in to obtain the first refresh token, paste it into the environment config, then the pods in that environment will refresh the token before it expires. We then then manually log in to obtain a different token for the next environment.
At some point, the token failed to renew in one environment, and we manually replaced it. That environment then refreshed the token successfully. However, each environment subsequently also failed and also needed a new token.
So it appears that it was not a single outage that caused all the environments to fail to refresh, one environment would fail while the others were successfully refreshing tokens. It may have been an intermittent issue, where over the course of the day most refreshes succeeded, but some failed.
Our concern is that we encountered a limit on the number of valid refresh tokens in issue, and each time we manually requested a new token to fix one environment, we were inadvertently invalidating the oldest refresh token, which was then breaking the token refresh in a different environment.
The reason for this concern is that a colleague and I both ran the cintoo-login-1.1.0-signed.exe several times, generating several new refresh tokens in quick succession, but the login exe was unable to listen on port 8100 to receive the token from the browser redirect. So I fear that pushed some of the refresh tokens in our environments out of the list of valid tokens.
0 Votes
1 Comments
O
Olivier Beltrandoposted
8 months ago
Hello Alan,
This is correct, there is a number of 5 refresh token being usable at the same time by each user (imagining that the user would connect to a few devices).
Since each token is personal (it uses the user permission to access resources), and since Cintoo does not put a limit to the number of users, we did not anticipate that the tokens of a single user would be shared among other users.
It would probably beneficial for everyone to discuss this, and find appropriate solutions.
Would you mind describing your use case of the API ?
We have experienced a sequence of token refresh failures across our environments over the last week.
All environment share the same account, someone manually has to log in to obtain the first refresh token, paste it into the environment config, then the pods in that environment will refresh the token before it expires. We then then manually log in to obtain a different token for the next environment.
At some point, the token failed to renew in one environment, and we manually replaced it. That environment then refreshed the token successfully. However, each environment subsequently also failed and also needed a new token.
So it appears that it was not a single outage that caused all the environments to fail to refresh, one environment would fail while the others were successfully refreshing tokens. It may have been an intermittent issue, where over the course of the day most refreshes succeeded, but some failed.
Our concern is that we encountered a limit on the number of valid refresh tokens in issue, and each time we manually requested a new token to fix one environment, we were inadvertently invalidating the oldest refresh token, which was then breaking the token refresh in a different environment.
The reason for this concern is that a colleague and I both ran the cintoo-login-1.1.0-signed.exe several times, generating several new refresh tokens in quick succession, but the login exe was unable to listen on port 8100 to receive the token from the browser redirect. So I fear that pushed some of the refresh tokens in our environments out of the list of valid tokens.
0 Votes
1 Comments
Olivier Beltrando posted 8 months ago
Hello Alan,
This is correct, there is a number of 5 refresh token being usable at the same time by each user (imagining that the user would connect to a few devices).
Since each token is personal (it uses the user permission to access resources), and since Cintoo does not put a limit to the number of users, we did not anticipate that the tokens of a single user would be shared among other users.
It would probably beneficial for everyone to discuss this, and find appropriate solutions.
Would you mind describing your use case of the API ?
Thanks in advance :)
0 Votes
Login to post a comment