The backend has a 30 minutes timeout for its internal sessions, and the lifetime of these sessions isn't extended when running queries, only when running other kind of commands. When the session expires the SSO token also expires. This means that long running API programs that perform only queries will see their SSO tokens expired even if they are performing activity. This is, in my opinion, incorrect. The SSO token used to access the token should not expire if it was used recently, regardless of what it was used for.
The refresh flag of queries needs to be set/cleared depending on the type of client of the API: webadmin, user portal, or normal API client. This can't be determined by the API itself, so I am abandoning the patch and moving the bug back to the AAA component.
Tried with: rhevm-4.1.2.1-0.1.el7.noarch The provided authorization grant for the auth code expires after UserSessionTimeOutInterval with a query to VMs every 20 seconds. 2017-05-10 17:06:30,861+03 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-1) [] User admin@internal successfully logged in with scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2017-05-10 17:07:04,795+03 INFO [org.ovirt.engine.api.restapi.security.CORSSupportFilter] (default task-2) [] CORS support is disabled. 2017-05-10 17:07:05,609+03 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-2) [71c8cd1] Running command: CreateUserSessionCommand internal: false. 2017-05-10 17:07:05,788+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-2) [71c8cd1] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 71c8cd1, Call Stack: null, Custom Event ID: -1, Message: User admin@internal-authz logged in. 2017-05-10 17:08:46,914+03 INFO [org.ovirt.engine.core.sso.servlets.OAuthRevokeServlet] (default task-11) [] User admin@internal successfully logged out 2017-05-10 17:08:47,019+03 INFO [org.ovirt.engine.core.bll.aaa.TerminateSessionsForTokenCommand] (default task-12) [12274887] Running command: TerminateSessionsForTokenCommand internal: true. 2017-05-10 17:09:04,947+03 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-14) [] OAuthException invalid_grant: The provided authorization grant for the auth code has expired. 2017-05-10 17:09:04,958+03 ERROR [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default task-13) [] Cannot authenticate using authentication Headers: invalid_grant: The provided authorization grant for the auth code has expired.
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Verified with: rhevm-4.1.3.1-0.1.el7.noarch The provided authorization grant for the auth code does not expire after UserSessionTimeOutInterval with a query to VMs every 20 seconds.