Race condition in creation of Access Token with external OAuth2 server

[n2ygk]

In oauth2_validators._get_token_from_authentication_server there's a race condition when two requests both present a new Bearer Access Token causing a SQL insertion error for a uniqueness constraint violation.

This has been exercised in the wild by our project that has a client that makes near simultaneous requests of the same Django endpoint with the same Bearer token (see validate_bearer_token.

I believe the fix is to use AccessToken.objects.get_or_create(). Does this make sense @jleclanche?

[giovannibelzoni]

Would that be this error by any chance?

IntegrityError: duplicate key value violates unique constraint "oauth2_provider_accesstoken_source_refresh_token_id_key"
DETAIL:  Key (source_refresh_token_id)=(726272) already exists.

I initially had thought I have a bad migration.

[giovannibelzoni]

I was able to reproduce this by hammering the token endpoint with this test script:

import requests
import threading

url = "https://my.domain.com/o/token/"

refresh_token = "hYdpB9SsFpTyU5ZJtgxGSqXW3Aczzo"

payload = "grant_type=refresh_token&refresh_token={}&client_id=my-client-id".format(refresh_token)

headers = {
    'Content-Type': "application/x-www-form-urlencoded",
    'Cache-Control': "no-cache",
}

def request1():
    response = requests.request("POST", url, data=payload, headers=headers)
    print("request 1: {}".format(response.status_code))

def request2():
    response = requests.request("POST", url, data=payload, headers=headers)
    print("request 2: {}".format(response.status_code))

def request3():
    response = requests.request("POST", url, data=payload, headers=headers)
    print("request 3: {}".format(response.status_code))


t1 = threading.Thread(target=request1)
t2 = threading.Thread(target=request2)
t3 = threading.Thread(target=request3)

t1.start()
t2.start()
t3.start()

Output:

request 1: 200
request 2: 401
request 3: 500 <-- Integrity error here

We can't always control the behaviour of JS clients, best to fix this - perhaps as proposed by @n2ygk above?

[n2ygk]

@giovannibelzoni we saw this, and it's for the Access -- not Refresh -- token, but probably similar. We are using MS SQL Server (ugh) so the errors might be different:

"('23000', "[23000] [FreeTDS][SQL Server]Violation of UNIQUE KEY constraint 'UQ_oauth2_p_CA90DA7AF848555F'. Cannot insert duplicate key in object 'dbo.oauth2_provider_accesstoken'. The duplicate key value is ( [+redacted bearer token+] ). (2627) (SQLExecDirectW)")"

[n2ygk]

See #611

[n2ygk]

@giovannibelzoni Can you please test #611 and let me know if the refresh token error still exists.

[n2ygk]

#611 merged