It's not possible to use newly refreshed access token while the "original" refresh token is still being processed

[azasypkin]

It seems we hit an issue somewhere in a token management subsystem. The issue description is a bit confusion, but here are the steps to reproduce:

1. Generate access/refresh token pair with a short lifetime (used 15s in my tests)
2. Wait till access token expires
3. Simultaneously send two refresh token requests
4. When first request completes try to use newly refresh token within a request to _authenticate endpoint

It happens so that at the step 4. first refresh request is still in progress and request to _authenticate with newly refreshed token at the same time fails with the following error:

HTTP/1.1 401 Unauthorized (application/json)
WWW-Authenticate: Bearer realm="security"
WWW-Authenticate: ApiKey
WWW-Authenticate: Basic realm="security" charset="UTF-8"

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_security/_authenticate]","header":{"WWW-Authenticate":["Bearer realm="security"","ApiKey","Basic realm="security" charset="UTF-8""]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_security/_authenticate]","header":{"WWW-Authenticate":["Bearer realm="security"","ApiKey","Basic realm="security"

/cc @jkakavas

[elasticmachine]

Pinging @elastic/es-security (:Security/Authentication)

[jkakavas]

My original thought was that the culprit is the WAIT_UNTIL here :

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java

Line 339 in a90c1de

.setRefreshPolicy(RefreshPolicy.WAIT_UNTIL)

Which would mean that after we refresh the token and index the new document, the index hasn't been refreshed by the time that the _authenticate call arrives

But @azasypkin tried this out with IMMEDIATE and still reproduces.

[ywangd]

The problem is likely a racing condition between two threads handling the refreshing request. The following scenario is one possible way for it to happen:

When the 1st refresh request is done updating the exsiting document but before it can create the new document (can be simulated by adding Thread.sleep before this line), the 2nd refresh request comes in and tries to refresh the token again. The 2nd request will see that the existing document is refreshed and take a shortcut to return the information directly from the updated existing document. At this point, the new token document has not yet been created since the 1st thread is slow.

Therefore the 2nd request will come back to user before the 1st request can complete (and actually creating the new token document). If user immediately tries to authenticate with the new access token, it will fail since the document has not yet been created. If you wait for a while till the 1st refresh request (the slower one) to complete, the new token will become valid.

In summary, the problem is that end-user can get back an access token which is yet to be created because of the two-stage processing on the server side.

[azasypkin]

Thanks @ywangd, what you're describing matches pretty close to what we were observing in another issue where we had two almost concurrent requests with an expired token (non-essential request/response details are omitted, second column is packet/request number and third one is UTC timestamp). Copying here, jfr.

# First request with expired token
56	15:40:37.830393657	232	GET /_security/_authenticate HTTP/1.1
authorization: Bearer 46ToAxZCajVhTUladVRsYWpaWWoxbkZmZ2FB

# Second request with expired token
58	15:40:37.830429114	232	GET /_security/_authenticate HTTP/1.1 
authorization: Bearer 46ToAxZCajVhTUladVRsYWpaWWoxbkZmZ2FB

# Reply to the second request - token is expired - looks good
60	15:40:37.831789663	684	HTTP/1.1 401 Unauthorized  (application/json)
WWW-Authenticate: Bearer realm="security", error="invalid_token", error_description="The access token expired"

# Reply to the first request - token is expired - looks good
61	15:40:37.831792090	684	HTTP/1.1 401 Unauthorized  (application/json)
WWW-Authenticate: Bearer realm="security", error="invalid_token", error_description="The access token expired"

# Now let's refresh the tokens

# First request to refresh token
64	15:40:37.832761215	333	POST /_security/oauth2/token HTTP/1.1  (application/json)
Authorization: Basic a2liYW5hOmNoYW5nZW1l
{"grant_type":"refresh_token","refresh_token":"46ToAxYzbjY1Y2lLX1FJZW05UFp0SHZqYkF3"}

# Second request to refresh token (using the same refresh token obviously)
Authorization: Basic a2liYW5hOmNoYW5nZW1l
69	15:40:37.833581671	333	POST /_security/oauth2/token HTTP/1.1  (application/json)
{"grant_type":"refresh_token","refresh_token":"46ToAxYzbjY1Y2lLX1FJZW05UFp0SHZqYkF3"}

# Reply to the second refresh request - looks good
71	15:40:37.839309282	295	HTTP/1.1 200 OK  (application/json)
{"access_token":"46ToAxZveGIwUTRYNVFpV1B1YVg0MFJRZDdR","type":"Bearer","expires_in":15,"refresh_token":"46ToAxZBdzM4UVZ1eFJnaW41LUZESmFPQTRB"}

# Since we have a refreshed token now, let's use it
# Remember we still haven't received reply for the first refresh request!!!
73	15:40:37.840045203	232	GET /_security/_authenticate HTTP/1.1 
authorization: Bearer 46ToAxZveGIwUTRYNVFpV1B1YVg0MFJRZDdR

# Reply to the first request with refreshed token ---- that seems to be a BUG
75	15:40:37.840803301	795	HTTP/1.1 401 Unauthorized  (application/json)
WWW-Authenticate: Bearer realm="security"
WWW-Authenticate: ApiKey
WWW-Authenticate: Basic realm="security" charset="UTF-8"
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_security/_authenticate]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\" charset=\"UTF-8\""]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_security/_authenticate]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\"

# Reply to the first refresh request (finally) - looks good
99	15:40:38.816817407	295	HTTP/1.1 200 OK  (application/json)
{"access_token":"46ToAxZveGIwUTRYNVFpV1B1YVg0MFJRZDdR","type":"Bearer","expires_in":15,"refresh_token":"46ToAxZBdzM4UVZ1eFJnaW41LUZESmFPQTRB"}

# Second request with refreshed token
101	15:40:38.817551907	232	GET /_security/_authenticate HTTP/1.1
authorization: Bearer 46ToAxZveGIwUTRYNVFpV1B1YVg0MFJRZDdR

# Reply to the second request with refresh token - looks good
103	15:40:38.818535836	473	HTTP/1.1 200 OK  (application/json)
{"username":"a@b.c","roles":[],"full_name":null,"email":null,"metadata":{"saml_nameid":"a@b.c","saml_nameid_format":"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified","saml(urn:oid:0.0.7)":["a@b.c"]},"enabled":true,"authentication_realm":{"name":"saml1","type":"saml"},"lookup_realm":{"name":"saml1","type":"saml"}}

[ywangd]

@azasypkin Thanks for the detailed request/response log. It matches exactly to what I have suspected. The same access token 46ToAxZveGIwUTRYNVFpV1B1YVg0MFJRZDdR was returned by both refresh requests and became valid just one second after it's initial failure.

Btw, this problem can happen regardless of the expiration time or whether the original token is expired or not.