leapp: Session token not found or invalid

Describe the bug After a while from the login, i can’t start a session on a given accout when using SSO.

Leapp Version 0.15.1 and 0.14.3 (did downgrade to check if problem was persisting)

To Reproduce Steps to reproduce the behavior:

  1. Login via AWS SSO
  2. Start a new session on a listed account
  3. After a while try starting another one, you’ll get “Session token not found or invalid”.

Expected behavior A session is started, with no error.

** Logs **

[2022-10-10 13:34:09.460] [info]  [renderer] Opening web console for session: AziendaZero
[2022-10-10 13:34:09.474] [info]  [renderer] Starting opening Web Console
[2022-10-10 14:53:05.149] [info]  [renderer] Starting Session
[2022-10-10 14:53:05.430] [error] [renderer] [ErrorService] UnauthorizedException: Session token not found or invalid
    at Object.extractError (file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:32758:27)
    at Request.extractError (file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:33138:8)
    at Request.callListeners (file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:35899:20)
    at Request.emit (file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:35866:10)
    at Request.emit (file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:34462:14)
    at Request.transition (file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:33788:10)
    at AcceptorStateMachine.runTo (file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:40088:12)
    at file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:40099:10
    at Request.<anonymous> (file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:33804:9)
    at Request.<anonymous> (file:///opt/Leapp/resources/app.asar/dist/leapp-client/main.34a8122b32e1d613.js:34464:12)
[2022-10-10 14:59:47.111] [info]  [renderer] Starting Session

First two lines of logs shows a successful operation. Then the problem appeared.

Desktop (please complete the following information):

  • Ubuntu 22.04
  • Leapp 0.14.3 and 0.15.1

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 2
  • Comments: 17 (10 by maintainers)

Most upvoted comments

@ericvilla informed me that this is pertinent info: I also run into this every once in a while (it’s pretty rare), and I have a aws-sso-access-token secret in my OS Keychain (I use ArchLinux). Apparently this corresponds to an older token format that Leapp used to use. Logging out and back in does solve the problem (removing the secret does not).

+2
gshpychka on Oct 10, 2022

Hi everyone, we managed to restrict the portion of code that generated that issue.

It seems the accessToken - generated during the AWS SSO OIDC login - expires before the expected 8hrs (as documented by AWS).

Therefore, we applied a forced refresh of the accessToken when the getRoleCredentials call fails. In particular, we added an optional forceRefresh parameter to the getAccessToken method. It triggers a new OIDC login flow that, if you are already logged into AWS SSO, requires you to allow the device authorization request.

let accessToken = await this.awsIntegrationDelegate.getAccessToken(session.awsSsoConfigurationId, region, portalUrl);
let credentials;

try {
  credentials = await this.awsIntegrationDelegate.getRoleCredentials(accessToken, region, roleArn);
} catch (err) {
  accessToken = await this.awsIntegrationDelegate.getAccessToken(session.awsSsoConfigurationId, region, portalUrl, true);
  credentials = await this.awsIntegrationDelegate.getRoleCredentials(accessToken, region, roleArn);
}

Still, we’re going to investigate the OIDC device authorization flow, as it is related to an expiration value too.

+1
ericvilla on Oct 13, 2022
Read more comments on GitHub
← leapp: Leapp doesn't detect AWS CLI in newer homebrew locations
esp-idf-st7789: Can not auto reset on my board →