Bug ID 939877

Bug Tracker
ID 939877

Bug ID 939877: OAuth refresh token not found

Last Modified: Feb 07, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1

Fixed In:
17.0.0, 16.1.2, 15.1.4, 14.1.4.4

Opened: Aug 25, 2020

Severity: 4-Minor

Symptoms

When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error: err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)

Impact

OAuth APM client end user fails to renew the access token even with a valid refresh token.

Conditions

-- The refresh token expiration interval is longer than authcode and accesstoken. -- The Authorization code table entry does not exist because of an internal clearing/purging operation. -- tmm restarts or failover to standby thus losing refresh-token value from primarydb

Workaround

Clear/reset the Authorization code column value manually: As a root user run below BIG-IP shell (tmos)# list apm oauth db-instance apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." } Copy the value corresponding to <db_name>. Log into mysql from the bash prompt: # mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) mysql> use <db_name>; mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id'; (Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)

Fix Information

Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips