Skip to content

Fix intermittent 401 errors from token expiration race condition #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Fix intermittent 401 errors from token expiration race condition #109

Copilot wants to merge 4 commits into from

Conversation

Copy link

Copilot AI commented Oct 29, 2025
edited
Loading

Intermittent 401 Unauthorized errors occurred when OAuth tokens expired between the expiration check and API call execution. No retry or fallback mechanism existed when token refresh failed.

Changes

Token Expiration Buffer

  • Added configurable token_expiration_buffer (default: 30s) to refresh tokens proactively before expiration
  • Modified expired? to check Time.now.utc > (@expiration - @token_expiration_buffer) instead of exact expiration
  • Safely handles nil expiration values

Automatic Fallback

  • prepare_token now attempts regenerate_token || get_new_token when expired
  • Eliminates silent failures when token refresh returns nil

Configuration

client = OneLogin::Api::Client.new(
  client_id: 'id',
  client_secret: 'secret',
  token_expiration_buffer: 60  # Refresh 60s before expiration (default: 30)
)

The buffer prevents race conditions by ensuring tokens are refreshed before they expire during API calls. The fallback ensures credentials remain valid even when refresh endpoints fail.

Original prompt

This section details on the original issue you should resolve

<issue_title>Getting 401 Unauthorized for a valid set of client id and secret</issue_title>
<issue_description>We have been using this gem for our onelogin integration for a number of customers on our application and have been facing issue particularly with one set of client id and secret.

We usually pull users, apps and event logs data and one of the credentials that we have often fails
with 401 Unauthorized error message.
On manually checking the health of the credentials with postman or even restarting the process, we are able to pull API responses.

We have already handled rate limits at our end. Can we get help on what exactly might be going wrong here?</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits October 29, 2025 16:15
@Subterrane
Initial analysis of 401 Unauthorized issue
8cad547 
Co-authored-by: Subterrane <5290140+Subterrane@users.noreply.github.com>
@Subterrane
Add token expiration buffer and fallback mechanism to fix 401 errors
a8aa17e 
Co-authored-by: Subterrane <5290140+Subterrane@users.noreply.github.com>
@Subterrane
Simplify get_new_token and fix test timing issues
a1d9508 
Co-authored-by: Subterrane <5290140+Subterrane@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix 401 Unauthorized error for OneLogin credentials Fix intermittent 401 errors from token expiration race condition Oct 29, 2025
Copilot AI requested a review from Subterrane October 29, 2025 16:28
@Subterrane Subterrane requested a review from Copilot October 29, 2025 16:52
Copilot AI reviewed Oct 29, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Fixes intermittent 401 Unauthorized errors caused by OAuth token expiration race conditions by implementing proactive token refresh with configurable buffer time and automatic fallback mechanisms.

  • Added configurable token expiration buffer (default: 30s) to refresh tokens before they expire
  • Implemented automatic fallback from token refresh to new token generation when refresh fails
  • Enhanced token management with improved expiration checking and error handling

Reviewed Changes

Copilot reviewed 4 out of 948 changed files in this pull request and generated 1 comment.

File Description
lib/onelogin/api/client.rb Core implementation of token expiration buffer, enhanced expiration checking, and fallback logic
spec/lib/onelogin/api/token_expiration_spec.rb Comprehensive test suite covering token expiration scenarios and fallback behavior
onelogin.gemspec Added webmock development dependency for testing
README.md Updated documentation to include new token_expiration_buffer configuration option

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

lib/onelogin/api/client.rb
Comment on lines +85 to +90
# Internal method to get a new access token
# This is separate from the public access_token method to allow internal use
#
def get_new_token
access_token
end
Copy link

Copilot AI Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method simply delegates to access_token without adding any value. Consider directly calling access_token in prepare_token instead of introducing this wrapper method, or add meaningful functionality if this separation is intended for future extensibility.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Subterrane Subterrane Awaiting requested review from Subterrane

Assignees

@Subterrane Subterrane

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Getting 401 Unauthorized for a valid set of client id and secret

2 participants

@Subterrane