Active IQ and AutoSupport Discussions

refresh token

jhammer
8,952 Views

Hi,

 

I have a python script that runs once a day and its jobs is to download a new refresh token from aiq.netapp.com.

This works great for one week but then it fails and I'm required to manually download a new refresh token. Then I can run the script for another week before I need to manually download it again.

I know that a refresh token is valid for 1 week but as the script update the token daily I do indeed have a fresh token that should work.

I have verified that the refresh token that the script recieve is different from the previous one so it does it job correctly.

Anyone have any idea why I experience this problem?

/Johan

   

1 ACCEPTED SOLUTION

jhammer
8,806 Views

Hi elementx,

I got a reply from bretta that this is a normal behaviour so have to download the refresh manually once a week.

Best regards,

Johan

 

View solution in original post

14 REPLIES 14

bretta
8,919 Views

This is how it was designed for personal tokens. As you can guess, this has to do with security best practices. Imagine that a user's token was compromised. If it could be renewed indefinitely, that increases the scope and danger of the security breach.

elementx
8,861 Views

This is how it was designed for personal tokens.

 

Where is that behavior documented?

jhammer
8,806 Views

Hi Bretta,

Ok, I understand.  Thanks for clarifying. 🙂 

The documentation is not very clear about the behaviour.  

Best regards,

Johan

elementx
8,803 Views

That's my point - if it's not clear or if it's assumed, then it's a (documentation) bug.

 

I still think that the answer is not correct (i.e. there may be a problem with your script).

When I last tried - but that was a while ago (I shot a PowerShell demo with AIQ, it's on YouTube) - I'd rotate my token and it worked. 

jhammer
8,794 Views

Hi,

This is my script. Hope you find something wrong with it. 🙂

/Johan


import requests, http.client, os, time, json

 

def open_refresh_token(refresh_token_file):
file = open(refresh_token_file,"r")
refresh_token = file.readline().strip()
file.close()
return refresh_token

def save_new_refresh_token(new_refresh_token, refresh_token_file):
file = open(refresh_token_file,"w")
file.write(new_refresh_token)
file.close()

def get_new_refresh_token(refresh_token):
conn = http.client.HTTPSConnection( "api.activeiq.netapp.com" )
conn_data = json.dumps( { "refresh_token": refresh_token } )

conn.request( "POST", "/v1/tokens/accessToken", conn_data )

# get the response from the HTTPS request
res = conn.getresponse()

if res.status != 200:
print( "Could not get new token data based on current refresh token:", res.status, res.reason )

conn_data = json.loads( res.read().decode( "utf-8" ) )

new_access_key = conn_data["access_token"]
new_refresh_key = conn_data["refresh_token"]
return new_access_key, new_refresh_key

def main():

refresh_token_file = "c:/users/sejha/Downloads/refresh-token.txt"

refresh_token = open_refresh_token(refresh_token_file)

new_access_token, new_refresh_token = get_new_refresh_token(refresh_token)

save_new_refresh_token(new_refresh_token, refresh_token_file)

 

main()

elementx
8,789 Views

You could try a newly obtained refresh-token.txt in a new script to see if it works elsewhere i.e. if the token itself is valid.

 

https://docs.netapp.com/us-en/active-iq/task_generate_tokens_API_services.html

 

  • When obtained programmatically, tokens always come in sets of two: An Access Token and a Refresh Token. The Access Token must be passed to successfully use all APIs (except for one - the Refresh Token is used to programmatically obtain a new set of tokens).

  • On the Main API Services page, click Generate Token to view and download the access token and refresh token to invoke APIs.

  • You should download and save the access token and refresh token for later use. Access tokens expire one hour after generation and refresh tokens expire after seven days. The refresh token used in this API call will be invalidated after a new refresh token is generated.

It appears to me that a new refresh token is good as long as it's refreshed before 7 days.

It doesn't say that tokens must be generated from https://activeiq.netapp.com/api Generate Tokens.

 

With your code I get an error, maybe due to poor formatting (indentation, etc.) on my side:

 

from token import EXACT_TOKEN_TYPES
ImportError: cannot import name 'EXACT_TOKEN_TYPES' from 'token' (/tmp/token.py)

 

To save time I used the example from https://activeiq.netapp.com/catalog/internal/api-reference/activeiq-public/access-token (Python, right-hand side, copied below) and with this repeated runs returned new access_token and refresh_token on each run.

 

Then I'd replace my refresh_token with the one from last response and run again and was able to refresh it again. I can't fast-forward 7 days to see if it'd still work that way, but again, the documentation does not say that one loses the ability to refresh tokens after 7 days, it only says that they should be refreshed within 7 days.

 

You can try the same to test if your `refresh_token` is usable. 

 

EDIT: when I tried to save this post, I got an error about invalid HTML code in my post which was "automatically removed" - great, maybe the script below has been crippled now - so better get it from the URL above than copy this sample.

 

#!/usr/bin/python3
import
http.client

conn = http.client.HTTPSConnection("api.activeiq.netapp.com")

payload = "{\"refresh_token\":\"ey...rA\"}"

headers = {

'content-type': "application/json",

'accept': "application/json"

}

conn.request("POST", "/v1/tokens/accessToken", payload, headers)

res = conn.getresponse()

data = res.read()

print(data.decode("utf-8"))

 

jhammer
8,781 Views

I have to wait until Wednesday this week before I will recieve a refresh token that will fail. ( I manually downloaded a refresh key last wednesday) I can run my script as many times I want during one week and it works perfectly. Each time the script will replace existing refresh token with the new one but as soon as 7 days has passed since the last manual download it fails.. If this is the expected behaviour it would be good if the documentation is updated.    

 

elementx
8,779 Views

All right. Let us know how it goes.

 

You may submit an issue (request for documentation enhancement) by yourself if you have a Github account

- Go to https://docs.netapp.com/us-en/active-iq/task_generate_tokens_API_services.html

- In top right corner, click on "Request doc changes" which will take you to Github where you can propose a better explanation, or simply ask for a clarification and let them brainstorm how to make it better

 

jhammer
8,768 Views

I have now submitted an issue on Github.

Thanks for your help!

/Johan

elementx
8,865 Views

If you posted your script we could reason about it, but since you haven't, we can only speculate (which I won't do).

So I'll just say I'd try the refreshed token from a different script  or with just curl to see if it really works. If it does, then you need to fix your script.

 

 

jhammer
8,807 Views

Hi elementx,

I got a reply from bretta that this is a normal behaviour so have to download the refresh manually once a week.

Best regards,

Johan

 

elementx
8,550 Views

Hi @jhammer - okay, well at least we got to the bottom of this.

 

I still think it's a bug in documentation and leaving the current wording in place will continue to confuse users.

 

I get my other API tokens from various API providers and three providers I use often issue tokens that last forever (literally, I get tokens that never expire and I use that duration for a token that's "Read Only" - I use that one in Postman to examine data structures returned by the API), so in my mind unusually short duration should be clearly explained in the API docs, which it currently is not.

jhammer
8,526 Views

Hi  @elementx 

I fully agree. About a week ago I did a request on github to get the documentation updated so hopefully it will be done soon.  

jhammer
8,319 Views

Hi,

@elementx  @bretta 

The documentation has now been updated and according to this clarification one should be able to 

get a new refresh key programmatically for 90 days before one have to manually download a refresh key. In my case I can only get a new refresh key  for 7 days so something is wrong.  

     

------------------------

You should download and save the access token and refresh token for later use. Access tokens expire one hour after generation and refresh tokens should be regenerated every 7 days and installed in the application. After 90 days, you will need to manually login and obtain a new access and refresh token

------------------------------

Public