Bug 1889755 - Connection Test() fails with invalid_grant: The provided authorization grant for the auth code has expired.
Summary: Connection Test() fails with invalid_grant: The provided authorization grant ...
Alias: None
Product: ovirt-engine-sdk-go
Classification: oVirt
Component: Core
Version: ---
Hardware: Unspecified
OS: Unspecified
medium vote
Target Milestone: ovirt-4.4.3
: 4.4.3
Assignee: Eli Mesika
QA Contact: Lukas Svaty
Depends On:
Blocks: 1889787
TreeView+ depends on / blocked
Reported: 2020-10-20 14:14 UTC by Artur Socha
Modified: 2021-06-09 09:13 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2020-11-05 09:12:42 UTC
oVirt Team: Infra
sbonazzo: ovirt-4.4?

Attachments (Terms of Use)

Description Artur Socha 2020-10-20 14:14:25 UTC
Description of problem:
Execution of Test() method on Connection object[1] fails with invalid_grant error 
visible in the engine's logs: 

2020-10-20 15:51:42,295+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-34) [1ed6edb1] OAuthException invalid_grant: The provided authorization grant for the auth code has expired.

As the result each time new authentication request is sent.

How reproducible:

Steps to Reproduce:
1. Setup ovirt-engine
2. Build and run code according to instructions: [2]

[1] https://github.com/oVirt/go-ovirt/blob/2d1b618f0c3e9146926c7cf55ed2aae1e7110568/connection.go#L75
[2] https://gist.github.com/arso/1b4316cd5a6a069a0c5526fc330890f2

Additional info:

The reason ovirt engine complains with the error desribed above is the fact that HTTP OPTIONS call does not contain proper token in 'Authorization' header - the value seems to be truncated to 'Authorization: Bearer'

Comment 1 Eli Mesika 2020-10-21 09:04:31 UTC
I will test the same from Python SDK to see if the problem is in GO or in engine code

Comment 2 Eli Mesika 2020-10-22 10:37:19 UTC
I didn't manage to reproduce 

Please look at [1] which runs with no problems on my side (just replace all parameters enclosed with "<>" with yours 

1) Did you have "https://" in your URL and it ends with "ovirt-engine/api" as in the example 
2) Do you use the format "user@domain" in user field 
3) Do you have the correct password ?

[1] http://pastebin.test.redhat.com/912239

Comment 3 Artur Socha 2020-10-22 11:27:09 UTC
I have just realized that I did not add one important instruction. 
Ovirt engine must be deployed from RPM (with httpd). Tested against various 4.4.2 variants. 

ad1) ack to both parts
ad2) yes - in my case admin@internal
ad3) yes (I shared it privately)

When this client is run it will not end with failure - only error log statement in engine.log is issued (the from the bz description).

Comment 4 Eli Mesika 2020-10-22 13:09:58 UTC
I got input from Artur Socha that this is only happening for engines deployed from RPM (with httpd etc)
Looking at the Go Test code and comparing it to java/python SDK connection validation it seems that we don't need all this complexity 
It is enough to call the system service Get() method and see that it is not throwing an error 

I will push a patch that align Go SDK connection testing with java/python SDK connection testing logic

Comment 5 Eli Mesika 2020-10-25 10:45:06 UTC
solved in commit 92c1875a918b8e2f4aaf0d6110be9422dfc1ce10

Note You need to log in before you can comment on or make changes to this bug.