Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CCloud auth expiration doesn't disconnect cleanly #1098

Open
shouples opened this issue Feb 28, 2025 · 3 comments
Open

CCloud auth expiration doesn't disconnect cleanly #1098

shouples opened this issue Feb 28, 2025 · 3 comments
Assignees
@shouples
Labels
CCloud authentication Issue related to authentication to Confluent Cloud through the extension

Comments

@shouples
Copy link
Contributor

Seen after hitting the 8-hour session expiration, where it looks like we only got an INVALID_TOKEN status:

2025-02-28 04:16:55.645 [info] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.RefreshCCloudTokensBean] Refreshed tokens of connection with ID=vscode-confluent-cloud-connection.
2025-02-28 04:17:29.312 [debug] [Confluent] [docker.eventListener] stream ended: Body Timeout Error
2025-02-28 04:17:29.817 [debug] [Confluent] [docker.configs] docker ping response: OK
2025-02-28 04:17:29.817 [debug] [Confluent] [docker.eventListener] dockerAvailable: true
2025-02-28 04:17:29.821 [debug] [Confluent] [docker.eventListener] reading from stream...
2025-02-28 04:21:55.598 [info] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.RefreshCCloudTokensBean] Refreshed tokens of connection with ID=vscode-confluent-cloud-connection.
2025-02-28 04:22:29.947 [debug] [Confluent] [docker.eventListener] stream ended: Body Timeout Error
2025-02-28 04:22:30.452 [debug] [Confluent] [docker.configs] docker ping response: OK
2025-02-28 04:22:30.452 [debug] [Confluent] [docker.eventListener] dockerAvailable: true
2025-02-28 04:22:30.455 [debug] [Confluent] [docker.eventListener] reading from stream...
2025-02-28 04:26:55.612 [info] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.RefreshCCloudTokensBean] Refreshed tokens of connection with ID=vscode-confluent-cloud-connection.
2025-02-28 04:27:30.884 [debug] [Confluent] [docker.eventListener] stream ended: Body Timeout Error
2025-02-28 04:27:31.095 [debug] [Confluent] [docker.configs] docker ping response: OK
2025-02-28 04:27:31.095 [debug] [Confluent] [docker.eventListener] dockerAvailable: true
2025-02-28 04:27:31.096 [debug] [Confluent] [docker.eventListener] reading from stream...
2025-02-28 04:32:00.040 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:00.041 [info] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.connections.ConnectionState] Updated status for connection ID=vscode-confluent-cloud-connection. Original spec: ConnectionStatus[ccloud=CCloudStatus[state=SUCCESS, requiresAuthenticationAt=2025-02-28T09:29:06.499129Z, user=UserInfo[...], errors=null], kafkaCluster=null, schemaRegistry=null], Updated spec: ConnectionStatus[ccloud=CCloudStatus[state=EXPIRED, requiresAuthenticationAt=null, user=null, errors=null], kafkaCluster=null, schemaRegistry=null], Last updated: 2025-02-28T09:32:00.039801Z
2025-02-28 04:32:00.041 [info] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.cache.ClusterCache] Disconnected ConnectionSpec[id=vscode-confluent-cloud-connection, name=Confluent Cloud, type=CCLOUD, ccloudConfig=CCloudConfig[organizationId=null, ideAuthCallbackUri=vscode://confluentinc.vscode-confluent/authCallback], localConfig=null, kafkaClusterConfig=null, schemaRegistryConfig=null]
2025-02-28 04:32:00.041 [debug] [Confluent] [sidecar.connections.watcher] ConnectionStateWatcher: received DISCONNECTED event for connection id vscode-confluent-cloud-connection
2025-02-28 04:32:00.041 [debug] [Confluent] [sidecar.connections.statusUtils] connectionEventHandler: ccloud connection update received, passing to reactToCCloudAuthState()
2025-02-28 04:32:00.041 [debug] [Confluent] [authn.ccloudStateHandling] received update to CCloud connection {"status":"INVALID_TOKEN"}
2025-02-28 04:32:00.064 [debug] [Confluent] [authn.ccloudProvider] authProvider: secrets.onDidChange event {"key":"ccloudAuthStatus"}
2025-02-28 04:32:05.037 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:10.038 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:15.050 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:20.041 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:25.049 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:30.045 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:31.221 [debug] [Confluent] [docker.eventListener] stream ended: Body Timeout Error
2025-02-28 04:32:31.691 [debug] [Confluent] [docker.configs] docker ping response: OK
2025-02-28 04:32:31.691 [debug] [Confluent] [docker.eventListener] dockerAvailable: true
2025-02-28 04:32:31.694 [debug] [Confluent] [docker.eventListener] reading from stream...
2025-02-28 04:32:35.053 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:40.033 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:45.040 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:50.041 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:32:55.046 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
2025-02-28 04:33:00.047 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}
Image
@shouples shouples added the CCloud authentication Issue related to authentication to Confluent Cloud through the extension label Feb 28, 2025
@shouples shouples self-assigned this Feb 28, 2025
@shouples
Copy link
Contributor Author

@flippingbits since we also see 2025-02-28 04:32:00.041 [info] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.connections.ConnectionState] ... Updated spec: ConnectionStatus[ccloud=CCloudStatus[state=EXPIRED, requiresAuthenticationAt=null, user=null, errors=null], kafkaCluster=null, schemaRegistry=null] from the sidecar logs, would handling #855 take care of this issue?

I'm surprised we don't get any other websocket events aside from 2025-02-28 04:32:00.041 [debug] [Confluent] [authn.ccloudStateHandling] received update to CCloud connection {"status":"INVALID_TOKEN"}

@shouples shouples mentioned this issue Feb 28, 2025
Open
1 task
@flippingbits
Copy link
Contributor

Thanks for reporting it and looping me in, @shouples!

I don't think #855 would handle this issue, as the status.ccloud's EXPIRED status equals the status.authentications INVALID_TOKEN status (see here).

From reading the logs, the sidecar seems to report that the CCloud control plane token is invalid after consulting the CCloud API: 2025-02-28 04:32:00.040 [error] [Confluent (Sidecar)] [io.confluent.idesidecar.restapi.auth.CCloudOAuthContext] Error in CCloud response while verifying the auth status of this connection: {"code":401,"message":"token is expired","error_code":"token_expired"}.

It looks like the absolute lifetime of the refresh token ended at 2025-02-28T09:29:06.499129Z, which is why the sidecar stopped refreshing the control plane token (the next refresh would have been performed at 2025-02-28T09:31:55Z).

Unfortunately, the sidecar doesn't report a non-transient error in this case, which would let the VS Code extension prompt the user to re-authenticate, but assumes that the VS Code extension has noted the requiresAuthenticationAt timestamp earlier. IIRC, the extension prompts the user to reauthenticate shortly before the end of the 8-hour window?

I feel we should fix this on the sidecar side and let it reset the CCloud connection (and set its status to the initial NONE/NO_TOKEN status), once the CCloud connection's refresh token has hit the end of its absolute lifetime, assuming this doesn't cause any weird experience/behavior on the extension side. WDYT? We can also chat about it over Zoom later today if you like.

@shouples
Copy link
Contributor Author

shouples commented Mar 4, 2025

I feel we should fix this on the sidecar side and let it reset the CCloud connection (and set its status to the initial NONE/NO_TOKEN status), once the CCloud connection's refresh token has hit the end of its absolute lifetime, assuming this doesn't cause any weird experience/behavior on the extension side.

@flippingbits thanks for the info here! Currently the extension blocks any CCloud-related requests via its middleware when we see the INVALID_TOKEN state, so having a follow-on event to reset the connection state makes sense to me. 👍

And yep, we should be floating CCloud auth expiration warning notifications as soon as the session has <1hr before the 8hr window.

@flippingbits flippingbits mentioned this issue Mar 5, 2025
Closed
@shouples shouples mentioned this issue Mar 12, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shouples shouples

Labels
CCloud authentication Issue related to authentication to Confluent Cloud through the extension
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flippingbits @shouples