Support for automatic access token renewal for JWT

Question

Support for automatic access token renewal for JWT

tstojecki opened this issue 3 years ago · comments

I have checked that the [SDK documentation][sdk-docs] doesn't solve my issue.
I have checked that the [API documentation][api-docs] doesn't solve my issue.
I have searched the [Box Developer Forums][dev-forums] and my issue isn't already reported (or if it has been reported, I have attached a link to it, for reference).
I have searched [Issues in this repo][github-repo] and my issue isn't already reported.

Description of the Issue

Just looking for some clarification and maybe an improvement to how the SDK handles this scenario at the moment.
Is the automatic Access Token renewal supported for JWT by this SDK?

https://developer.box.com/guides/authentication/access-tokens/refresh/

Despite of what is being said there, it appears that the refresh token is never returned in a jwt auth

POST https://api.box.com/oauth2/token
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
assertion=...

As a result, when an initial token expires (~60 min)
new BoxJWTAuth(config).AdminToken()
the SDK ends up calling RetryExpiredTokenRequest -> RefreshAccessTokenAsync(string accessToken) just to throw ArgumentException: Refresh token cannot be null or empty exception.

Is that by design?

Steps to Reproduce

Follow instructions from readme for JWT Auth https://github.com/box/box-windows-sdk-v2/blob/master/docs/authentication.md#server-auth-with-jwt
Wait for token expiration (60 min)
See error

Expected Behavior

Clarify in developer docs and in readme that JWT Auth doesn't support auto renewal of access tokens. Redesign so that there is some notion of auth methods that support refresh and the ones that don't. Do not attempt to retry with refresh when not supported by an auth method.

Sujay Garlanka · Answer 1 · Wed Dec 02 2020 05:13:33 GMT+0800 (China Standard Time)

@tstojecki What version of the SDK are you using? Our SDKs handle token renewal.

tstojecki · Answer 2 · Wed Dec 02 2020 15:44:16 GMT+0800 (China Standard Time)

@sujaygarlanka we're using v3.25.0 Box.V2.Core

Based on your reply, can you point out where in the SDK the refresh token is being first obtained when using the JWT Auth? As I said earlier, we're calling
new BoxJWTAuth(config).AdminToken()
which ends up making a POST to https://api.box.com/oauth2/token with the assertion and client parameters. While that will return an access token, it never returns a refresh token. As a result, when it is time to handle expired token, the SDK runs into ArgumentException inside the
RefreshAccessTokenAsync(string accessToken)

stale · Answer 3 · Tue Dec 20 2022 04:16:41 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not been updated in the last 30 days. It will be closed if no further activity occurs within the next 7 days. Feel free to reach out or mention Box SDK team member for further help and resources if they are needed.

stale · Answer 4 · Tue Dec 27 2022 05:18:34 GMT+0800 (China Standard Time)

This issue has been automatically closed due to maximum period of being stale. Thank you for your contribution to Box .NET SDK and feel free to open another PR/issue at any time.