Return detailed error code when refresh token was issued by different client
Summary
When using a refresh token issued by a different Cognito client, the API returns 500 internal server error instead of giving a detailed error message.
Steps to reproduce
- Issue refresh token.
- Deploy new Cognito client.
- Try to issue new access token from new client.
What is the current bug behavior?
API returns 500 Internal Server Error
Relevant logs and/or screenshots
Logs
| 2022/10/04 14:04:53 ERROR mlflow.server: Exception on /api/mantik/tokens/refresh [POST] |
|---|
| Traceback (most recent call last): |
| File "/venv/lib/python3.9/site-packages/flask/app.py", line 2077, in wsgi_app |
| response = self.full_dispatch_request() |
| File "/venv/lib/python3.9/site-packages/flask/app.py", line 1525, in full_dispatch_request |
| rv = self.handle_user_exception(e) |
| File "/venv/lib/python3.9/site-packages/flask/app.py", line 1523, in full_dispatch_request |
| rv = self.dispatch_request() |
| File "/venv/lib/python3.9/site-packages/flask/app.py", line 1509, in dispatch_request |
| return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/skip.py", line 15, in wrapped |
| return func(*endpoint_args, **endpoint_kw) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/api/tokens.py", line 32, in refresh_token |
| return _get_token( |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/api/tokens.py", line 42, in _get_token |
| response = _get.get_tokens(data) |
| File "/usr/local/lib/python3.9/functools.py", line 877, in wrapper |
| return dispatch(args[0].class)(*args, **kw) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/api/_get.py", line 35, in _refresh_tokens |
| tokens = _get_tokens_from_api(request) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/api/_get.py", line 44, in _get_tokens_from_api |
| return _cognito.api.get_tokens(credentials) |
| File "/usr/local/lib/python3.9/functools.py", line 877, in wrapper |
| return dispatch(args[0].class)(*args, **kw) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/api.py", line 36, in _refresh_tokens |
| response = _get_tokens_from_cognito( |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/api.py", line 50, in _get_tokens_from_cognito |
| with _auth.cognito_auth_response( |
| File "/usr/local/lib/python3.9/contextlib.py", line 117, in enter |
| return next(self.gen) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/_auth.py", line 36, in cognito_auth_response |
| yield _get_auth_response( |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/_auth.py", line 78, in _get_auth_response |
| raise e |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/_auth.py", line 56, in _get_auth_response |
| return client.initiate_auth( |
| File "/venv/lib/python3.9/site-packages/botocore/client.py", line 508, in _api_call |
| return self._make_api_call(operation_name, kwargs) |
| File "/venv/lib/python3.9/site-packages/botocore/client.py", line 915, in _make_api_call |
| raise error_class(parsed_response, operation_name) |
| botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has different Client |
| 2022/10/04 14:05:47 ERROR mlflow.server: Exception on /api/mantik/tokens/refresh [POST] |
| Traceback (most recent call last): |
| File "/venv/lib/python3.9/site-packages/flask/app.py", line 2077, in wsgi_app |
| response = self.full_dispatch_request() |
| File "/venv/lib/python3.9/site-packages/flask/app.py", line 1525, in full_dispatch_request |
| rv = self.handle_user_exception(e) |
| File "/venv/lib/python3.9/site-packages/flask/app.py", line 1523, in full_dispatch_request |
| rv = self.dispatch_request() |
| File "/venv/lib/python3.9/site-packages/flask/app.py", line 1509, in dispatch_request |
| return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/skip.py", line 15, in wrapped |
| return func(*endpoint_args, **endpoint_kw) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/api/tokens.py", line 32, in refresh_token |
| return _get_token( |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/api/tokens.py", line 42, in _get_token |
| response = _get.get_tokens(data) |
| File "/usr/local/lib/python3.9/functools.py", line 877, in wrapper |
| return dispatch(args[0].class)(*args, **kw) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/api/_get.py", line 35, in _refresh_tokens |
| tokens = _get_tokens_from_api(request) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/flask/api/_get.py", line 44, in _get_tokens_from_api |
| return _cognito.api.get_tokens(credentials) |
| File "/usr/local/lib/python3.9/functools.py", line 877, in wrapper |
| return dispatch(args[0].class)(*args, **kw) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/api.py", line 36, in _refresh_tokens |
| response = _get_tokens_from_cognito( |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/api.py", line 50, in _get_tokens_from_cognito |
| with _auth.cognito_auth_response( |
| File "/usr/local/lib/python3.9/contextlib.py", line 117, in enter |
| return next(self.gen) |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/_auth.py", line 36, in cognito_auth_response |
| yield _get_auth_response( |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/_auth.py", line 78, in _get_auth_response |
| raise e |
| File "/venv/lib/python3.9/site-packages/mantik/mlflow_server/tokens/cognito/_auth.py", line 56, in _get_auth_response |
| return client.initiate_auth( |
| File "/venv/lib/python3.9/site-packages/botocore/client.py", line 508, in _api_call |
| return self._make_api_call(operation_name, kwargs) |
| File "/venv/lib/python3.9/site-packages/botocore/client.py", line 915, in _make_api_call |
| raise error_class(parsed_response, operation_name) |
| botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Refresh Token has different Client |
What is the expected correct behavior?
Possible fixes
- Return a dedicated error message that can be interpreted by our client such that it tries to issue a new refresh token (and potentially access token afterwards) with the user's credentials.