Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2: Duplicate requests to /oauth2/token cause 500 #828

Closed
jshearer opened this issue Apr 27, 2018 · 2 comments
Closed

oauth2: Duplicate requests to /oauth2/token cause 500 #828

jshearer opened this issue Apr 27, 2018 · 2 comments
Labels
bug Something is not working.
Milestone
1.0.0-alpha.1

Comments

@jshearer
Copy link

When writing a client that interacts with Hydra, I accidentally made 2 requests to exchange my authorization code for a refresh/access/id token instead of just one. One of the requests (not always the second -- I suspect this has something to do with database racing or something?) will 500 while the other will happily return the correct info.

The exception is here:

github.com/ory/hydra/vendor/github.com/ory/fosite/handler/oauth2.(*AuthorizeExplicitGrantHandler).PopulateTokenEndpointResponse
	/go/src/github.com/ory/hydra/vendor/github.com/ory/fosite/handler/oauth2/flow_authorize_code_token.go:113
github.com/ory/hydra/vendor/github.com/ory/fosite.(*Fosite).NewAccessResponse
	/go/src/github.com/ory/hydra/vendor/github.com/ory/fosite/access_response_writer.go:36
github.com/ory/hydra/oauth2.(*Handler).TokenHandler
	/go/src/github.com/ory/hydra/oauth2/handler.go:380
github.com/ory/hydra/oauth2.(*Handler).TokenHandler-fm
	/go/src/github.com/ory/hydra/oauth2/handler.go:118
github.com/ory/hydra/vendor/github.com/julienschmidt/httprouter.(*Router).ServeHTTP
	/go/src/github.com/ory/hydra/vendor/github.com/julienschmidt/httprouter/router.go:299
github.com/ory/hydra/vendor/github.com/urfave/negroni.Wrap.func1
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:41
github.com/ory/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:24
github.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
github.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:1918
github.com/ory/hydra/cmd/server.(*Handler).rejectInsecureRequests
	/go/src/github.com/ory/hydra/cmd/server/handler.go:205
github.com/ory/hydra/cmd/server.(*Handler).(github.com/ory/hydra/cmd/server.rejectInsecureRequests)-fm
	/go/src/github.com/ory/hydra/cmd/server/handler.go:113
github.com/ory/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:24
github.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
github.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
github.com/ory/hydra/vendor/github.com/meatballhat/negroni-logrus.(*Middleware).ServeHTTP
	/go/src/github.com/ory/hydra/vendor/github.com/meatballhat/negroni-logrus/middleware.go:136
github.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
github.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
github.com/ory/hydra/metrics.(*MetricsManager).ServeHTTP
	/go/src/github.com/ory/hydra/metrics/middleware.go:172
github.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
github.com/ory/hydra/vendor/github.com/urfave/negroni.(*Negroni).ServeHTTP
	/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:73
github.com/ory/hydra/vendor/github.com/rs/cors.(*Cors).Handler.func1
	/go/src/github.com/ory/hydra/vendor/github.com/rs/cors/cors.go:200
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:1918
github.com/ory/hydra/vendor/github.com/gorilla/context.ClearHandler.func1
	/go/src/github.com/ory/hydra/vendor/github.com/gorilla/context/context.go:141
net/http.HandlerFunc.ServeHTTP
	/usr/local/go/src/net/http/server.go:1918
net/http.serverHandler.ServeHTTP
	/usr/local/go/src/net/http/server.go:2619
net/http.(*conn).serve
	/usr/local/go/src/net/http/server.go:1801
runtime.goexit
	/usr/local/go/src/runtime/asm_amd64.s:2337

Logs from around the event:

time="2018-04-27T01:35:39Z" level=info msg="started handling request" method=POST remote=8.41.64.211 request=/oauth2/token
time="2018-04-27T01:35:39Z" level=info msg="started handling request" method=POST remote=8.41.64.211 request=/oauth2/token
time="2018-04-27T01:35:39Z" level=error msg="An error occurred" debug=": not_found" error=server_error
time="2018-04-27T01:35:39Z" level=debug msg="Stack trace: \ngithub.com/ory/hydra/vendor/github.com/ory/fosite/handler/oauth2.(*AuthorizeExplicitGrantHandler).PopulateTokenEndpointResponse\n\t/go/src/github.com/ory/hydra/vendor/github.com/ory/fosite/handler/oauth2/flow_authorize_code_token.go:113\ngithub.com/ory/hydra/vendor/github.com/ory/fosite.(*Fosite).NewAccessResponse\n\t/go/src/github.com/ory/hydra/vendor/github.com/ory/fosite/access_response_writer.go:36\ngithub.com/ory/hydra/oauth2.(*Handler).TokenHandler\n\t/go/src/github.com/ory/hydra/oauth2/handler.go:380\ngithub.com/ory/hydra/oauth2.(*Handler).TokenHandler-fm\n\t/go/src/github.com/ory/hydra/oauth2/handler.go:118\ngithub.com/ory/hydra/vendor/github.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/julienschmidt/httprouter/router.go:299\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.Wrap.func1\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:41\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:24\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:1918\ngithub.com/ory/hydra/cmd/server.(*Handler).rejectInsecureRequests\n\t/go/src/github.com/ory/hydra/cmd/server/handler.go:205\ngithub.com/ory/hydra/cmd/server.(*Handler).(github.com/ory/hydra/cmd/server.rejectInsecureRequests)-fm\n\t/go/src/github.com/ory/hydra/cmd/server/handler.go:113\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:24\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33\ngithub.com/ory/hydra/vendor/github.com/meatballhat/negroni-logrus.(*Middleware).ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/meatballhat/negroni-logrus/middleware.go:136\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33\ngithub.com/ory/hydra/metrics.(*MetricsManager).ServeHTTP\n\t/go/src/github.com/ory/hydra/metrics/middleware.go:172\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33\ngithub.com/ory/hydra/vendor/github.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:73\ngithub.com/ory/hydra/vendor/github.com/rs/cors.(*Cors).Handler.func1\n\t/go/src/github.com/ory/hydra/vendor/github.com/rs/cors/cors.go:200\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:1918\ngithub.com/ory/hydra/vendor/github.com/gorilla/context.ClearHandler.func1\n\t/go/src/github.com/ory/hydra/vendor/github.com/gorilla/context/context.go:141\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:1918\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2619\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1801\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:2337"
time="2018-04-27T01:35:39Z" level=info msg="completed handling request" measure#https://<domain>.latency=529915858 method=POST remote=8.41.64.211 request=/oauth2/token status=500 text_status="Internal Server Error" took=529.915858ms
time="2018-04-27T01:35:40Z" level=info msg="completed handling request" measure#https://<domain>.latency=816992976 method=POST remote=8.41.64.211 request=/oauth2/token status=200 text_status=OK took=816.992976ms

This took a while to debug, but once I saw the duplicate requests, I knew that's what it had to be.

I guess this should be a 400 indicating that the authorization code has already been redeemed?
@aeneasr
Copy link
Member

aeneasr commented Apr 27, 2018

Thank you for reporting the issue, it should definitely be a 400 Bad Request response.

Which version are you on?

@aeneasr aeneasr added the bug Something is not working. label Apr 27, 2018
@aeneasr aeneasr added this to the 1.0.0-alpha.1 milestone Apr 27, 2018
@aeneasr aeneasr changed the title Duplicate requests to /oauth2/token cause 500 oauth2: Duplicate requests to /oauth2/token cause 500 May 20, 2018
@aeneasr
Copy link
Member

aeneasr commented May 20, 2018

This is resolved on master

@aeneasr aeneasr closed this as completed May 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
1.0.0-alpha.1
Development

No branches or pull requests
2 participants
@aeneasr @jshearer