1500 unexpected error when github oauth expires

[Panaetius]

We should handle this error properly so it's actionable for users, not "1500 unexpected error occured".

Ideally, we'd figure out why the oauth refresh token expires in the first place and make sure this doesn't happen (this is for github.com oauth)

related sentry error:

Sentry Issue: RENKU-DATA-SERVICES-16

OAuthError: bad_refresh_token: The refresh token passed is incorrect or expired.
(1 additional frame(s) were not displayed)
...
  File "/app/env/lib/python3.12/site-packages/renku_data_services/connected_services/blueprints.py", line 179, in _get_token
    token = await self.connected_services_repo.get_oauth2_connection_token(
  File "/app/env/lib/python3.12/site-packages/renku_data_services/connected_services/db.py", line 325, in get_oauth2_connection_token
    await oauth2_client.ensure_active_token(oauth2_client.token)
  File "authlib/integrations/httpx_client/oauth2_client.py", line 113, in ensure_active_token
    await self.refresh_token(url, refresh_token=refresh_token)
  File "authlib/integrations/httpx_client/oauth2_client.py", line 149, in _refresh_token
    token = self.parse_response_token(resp)
  File "authlib/oauth2/client.py", line 344, in parse_response_token
    raise self.oauth_error_class(

[leafty]

Are you sure the issue is that the refresh token expired? It may be invalid for other reasons.

Which HTTP code and error message should be used in that case? A 401 error code?

When this happens, the solution is to have the user go through the "connect" flow again so that new valid token are issued.

[leafty]

Some references: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens

The user access token expires after eight hours, and the refresh token expires after six months.

We can consider using a background job to do refreshes, though we would need to also maintain something like a last_active field for users. This is because it is not good practice to refresh tokens for inactive users ad-infinitum.

I am not really in favor of doing that though. The refresh token expiring means that the user has not touched a GitHub feature for more than six months. In this case, I think it is OK to ask them to re-connect.

[Panaetius]

it seems to happen pretty regularily with users that have github connected and after a while they get 1500 errors where the oauth connection is used. It could be invalid for other reasons, but the user (elisabet) didn't invalidate it or anything, and it did work previously. So as far as I know, it goes from valid to invalid without any change from the users side.

But as per the issue description, figuring out exactly what is going on is part of this issue.

I don't think 401 makes sense, as it's not the client that is unauthenticated with us, but auth failure with a third party, and mixing those up could be confusing to clients. on the get_token endpoint specifically, maybe 404 is best suited, with extra details in the body. As in, the endpoint is for getting a valid token, but we don't have/couldn't find a valid token?

yes, reconnecting again solves the issue, for a time, but from what I heard from users, it happens more often than every 6 months.