Ubuntu
signon-plugin-oauth2 package

OAuth2 Tokens from providers that don't provide an expiry date are incorrectly expired on first use

Bug #1316021 reported by James Henstridge
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Online Accounts: OAuth2 plug-in
In Progress
Medium
auto-accounts-sso-devel
signon-plugin-oauth2 (Ubuntu)
Fix Released
Undecided
Alberto Mardegan

Bug Description

I've been trying to use the Online Accounts system to manage log in to the SoundCloud web site, and hit a problem: I can sign in without problem through the control panel, but when I try to retrieve the token via libsignon-glib, I get an error and the account is marked as signed out.

Looking at the syslog chatter from signond, it apparently decides that the token has expired:

    May 5 14:11:50 scruffy signonpluginprocess[7357]: oauth2plugin.cpp 206 respondWithStoredToken : Stored token is expired

This was a bit surprising, since SoundCloud says their tokens are not set to expire. Looking furtherback to where the token was stored, I see:

    May 5 14:10:03 scruffy signonpluginprocess[7263]: oauth2plugin.cpp 631 storeResponse : QMap(("REDACTED_CLIENTID", QVariant(QVariantMap, QMap(("Expiry", QVariant(int, 0) ) ( "Scopes" , QVariant(QStringList, ("non-expiring") ) ) ( "Token" , QVariant(QString, "REDACTED_TOKEN") ) ( "refresh_token" , QVariant(QString, "") ) ( "timestamp" , QVariant(uint, 1399270203) ) ) ) ) )

In particular, Expiry==0. This seems to be the code where the expiry is set, where it reads the "expires_in" property from the response JSON:

    http://code.google.com/p/accounts-sso/source/browse/src/oauth2plugin.cpp?repo=signon-plugin-oauth2#444

However, looking at the SoundCloud HTTP API reference, it isn't sending this in their JSON response:

    http://developers.soundcloud.com/docs/api/reference#token

It looks like this method needs to check whether expires_in is actually included in the JSON response.

Related branches

lp:~mardy/signon-plugin-oauth2/lp1316021
lp:~mardy/signon-plugin-oauth2/packaging
PS Jenkins bot (community): Needs Fixing (continuous-integration)
David Barth (community): Approve
Diff: 783 lines (+562/-44)
8 files modified
common-vars.pri (+1/-1)
debian/changelog (+8/-0)
debian/control (+2/-1)
src/oauth2data.h (+7/-0)
src/oauth2plugin.cpp (+22/-16)
src/oauth2plugin.h (+1/-1)
tests/oauth2plugintest.cpp (+515/-25)
tests/oauth2plugintest.h (+6/-0)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in signon-plugin-oauth2 (Ubuntu):
status: New → Confirmed
Revision history for this message
James Henstridge (jamesh) wrote :

I gave mardy's branch a go with my test program and soundcloud provider XML, and was able to successfully retrieve the access token without any notifcations about being logged out. So I guess that's a +1 from me.

Alberto Mardegan (mardy)
Changed in signon-plugin-oauth2:
status: New → In Progress
importance: Undecided → Medium
Changed in signon-plugin-oauth2 (Ubuntu):
assignee: nobody → Alberto Mardegan (mardy)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package signon-plugin-oauth2 - 0.19+14.10.20140513-0ubuntu1

---------------
signon-plugin-oauth2 (0.19+14.10.20140513-0ubuntu1) utopic; urgency=low

  [ Ubuntu daily release ]
  * New rebuild forced

  [ Alberto Mardegan ]
  * Do not store invalid expiration times (LP: #1316021)
 -- Ubuntu daily release <email address hidden> Tue, 13 May 2014 07:07:20 +0000

Changed in signon-plugin-oauth2 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

  • auto-accounts-sso-devel Edit

Bug watches keep track of this bug in other bug trackers.