[BUG] external/custom OAuth config does not work on Tableau Server

Question

[BUG] external/custom OAuth config does not work on Tableau Server

xsgao-github opened this issue a year ago · comments

About You:
Name: Song Gao
Company: Starburst Data

Your question:

We added external/custom OAuth config support based on the doc https://tableau.github.io/connector-plugin-sdk/docs/oauth. It works in Tableau Desktop and on Tableau Server (2023.1.2) when selecting embedded/default OAuth Config Id. However, if I select an external/custom OAuth config id, it errors out with the following message:

Can’t connect to Starburst Enterprise by Starburst
Detailed Error Message
Tableau detected that your OAuth refresh token is expired. Reauthenticate with new credentials. Ask your Tableau admin if you need help.
Unable to connect to the Starburst Enterprise by Starburst server "sgaoatstarburst-sample.trino.galaxy-dev.io". Check that the server is running and that you have access privileges to the requested database.

In the nativeapi_vizqlserver... log, I can see this message:

{"ts":"2023-06-27T18:12:18.200","pid":22860,"tid":"5d34","sev":"warn","req":"ZJsmglPGyJ-x31e-o1esWAAAAdg","sess":"833A2DF8CDEB47A5BDE5FC8E9DE1EF7E-1:0","site":"song","user":"sgao","k":"msg","v":"OAuthConfig with id custom_galaxydev does not exist, returning an empty one by default"}
...
{"ts":"2023-06-27T18:12:18.200","pid":22860,"tid":"5d34","sev":"info","req":"ZJsmglPGyJ-x31e-o1esWAAAAdg","sess":"833A2DF8CDEB47A5BDE5FC8E9DE1EF7E-1:0","site":"song","user":"sgao","k":"connect-using-keychain","v":{"xml":"<validate-connection><connection ACCESSTOKEN='********' CLIENTID='********' CLIENTSECRET='********' REFRESHTOKEN='********' access-token-expires-in='600' authentication='oauth' class='trino_jdbc' id-token='********' name='trino_jdbc.1mwts9u0i7r5q712cif9v0b41zjt' oauth-client='server-custom' oauth-config-id='custom_galaxydev' port='443' server='104.18.18.186' server-oauth='server-custom' sslmode='require' username='song.gao@starburstdata.com' v-role='' vendor1='FULL' /><matches>"}}
...
{"ts":"2023-06-27T18:12:19.299","pid":22860,"tid":"5d34","sev":"warn","req":"ZJsmglPGyJ-x31e-o1esWAAAAdg","sess":"833A2DF8CDEB47A5BDE5FC8E9DE1EF7E-1:0","site":"song","user":"sgao","k":"excp","e":{"excp-error-code":"0x0A5B1BDC","excp-source":"System","excp-status-code":"INTERNAL"},"v":{"class":"","connectivity_stage":"ConnectivityStage::Unknown","dse-type":"Unknown","excp-msg":"Unknown error: Unsuccessful attempt to refresh the access token (code=13)\n","excp-type":"ConnectivityException","is-bad-request":false,"is-capability-probe-failure":false,"is-local-configuration-error":false,"is-remote-configuration-error":false,"msg":"ConnectivityException::Init","server_version":"","sql_state":""}}

Seems like Tableau Server was able to get tokens from Galaxy but it eventually failed.

To eliminate other factors, I use the same OAuth configuration file, except that they use different oauthConfigId (embedded one is galaxydev, external one is custom_galaxydev).

And I used the same Client ID and Redirect URL when configuring them.

I used Fiddler to track the requests/responses between the web client and Tableau Server, and I can tell there is no problem with calling authorization url and callback/redirect url. The error happened when the Tableau server talked to the Galaxy server via token url - I saw two calls (same as I saw in Tableau Desktop), but I wasn't able to decrypt the messages or tell why Tableau Server failed.

Would you please help us with this issue?

Luke Petschauer · Answer 1 · Wed Jun 28 2023 03:07:55 GMT+0800 (China Standard Time)

Internal tracking: W-13667623

Song X. Gao · Answer 2 · Sat Jul 15 2023 12:21:05 GMT+0800 (China Standard Time)

This is related to #1148, which has a Fiddler log showing why there is a 401 error/OAuth refresh token is expired error.

Jade Koskela · Answer 3 · Tue Jul 18 2023 05:18:04 GMT+0800 (China Standard Time)

The log message "OAuthConfig with id custom_galaxydev does not exist" is misleading. We have two locations where those are stored, and one location didn't find it. This is expected for the custom IDP case. Based on our other discussions this was from a single use refresh token issue. We don't support those yet.

Song X. Gao · Answer 4 · Tue Jul 18 2023 21:36:07 GMT+0800 (China Standard Time)

OAuthConfig with id custom_galaxydev does not exist is just a msg.

The error is Unknown error: Unsuccessful attempt to refresh the access token (code=13), and that caused the front-end error.

This error is very similar to what I reported in #1148 - the error happens because Tableau Prep Builder uses an expired refresh_token. Would you please take a look at Tableau Server as well to make this will be addressed?