Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure directory timeouts #151

Open
calebdoxsey opened this issue Mar 27, 2023 · 2 comments
Open

azure directory timeouts #151

calebdoxsey opened this issue Mar 27, 2023 · 2 comments
Labels
help wanted Extra attention is needed

Comments

@calebdoxsey
Copy link
Contributor

What happened?

Occasionally when doing large sync calls with the Azure Microsoft Graph Delta API we are seeing timeouts:

{
  "level":"debug",
  "method":"GET",
  "authority":"[graph.microsoft.com](https://graph.microsoft.com/)",
  "path":"/v1.0/groups/delta",
  "duration":686.488539,
  "response-code":401,
  "idp":"azure",
  "response-body":"{\"error\":{\"code\":\"InvalidAuthenticationToken\",\"message\":\"Access token has expired or is not yet valid.\",\"innerError\":{\""
}

What did you expect to happen?

For large directory syncs to succeed.

Additional context

We should investigate a few different ideas here:

  1. Why are the access tokens not refreshing as we expect? Each API call (even for thousands of delta API calls) should check if the token is valid before re-using it. Are we hitting an issue where the token is valid only for a few seconds before it expires, so we-reuse it, but then it fails?
  2. Perhaps we should implement a simple retry mechanism to force a refresh of the access token when this error occurs and retry the API call
  3. Is there something in the delta API we can use to resume where we left off? Maybe $skiptoken?
  4. Can we increase the access token expiration timestamp somehow?

Locally we should be able to reproduce the behavior by adding an artifical lag to all requests. The default access token expiration is between 60 and 90 minutes.
@calebdoxsey
Copy link
Contributor Author

We already implemented retries when access tokens expire.

@calebdoxsey
Copy link
Contributor Author

Confirmed:

<nil> DBG http-request authority=graph.microsoft.com duration=129.826292 idp=azure method=GET path=/v1.0/users/delta response-body="{\"error\":{\"code\":\"InvalidAuthenticationToken\",\"message\":\"Access token has expired or is not yet valid.\",\"innerError\":{\"date\":\"2023-03-29T03:35:13\",\"request-id\":\"e5192c2d-960b-48ea-bc21-979ae759f671\",\"client-request-id\":\"e5192c2d-960b-48ea-bc21-979ae759f671\"}}}" response-code=401
<nil> DBG http-request authority=login.microsoftonline.com duration=430.282791 idp=azure method=POST path=/a0860b16-674e-426d-9165-f87469a8282d/oauth2/v2.0/token response-code=200

The token expires, we clear it and retry the next request, which succeeds.

@desimone desimone added the help wanted Extra attention is needed label Mar 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@calebdoxsey @desimone