Use refresh_token to refresh access_token

justinc1 · justinc1 · commit 6254bfe40414 · 2025-09-11T13:35:23.000+02:00
Requires client_id and client_secret.

Signed-off-by: Justin Cinkelj &lt;justin.cinkelj@xlab.si&gt;
diff --git a/README.md b/README.md
@@ -55,7 +55,7 @@ python manage.py createsuperuser
 We need to create OAuth2 application and access token for integration with AAP.
 Follow [setup/README.md](setup/README.md#sso-authentication), section "SSO authentication".
 
-File `clusters.yaml` needs to contain the access token.
+File `clusters.yaml` needs to contain the access token, refresh token, client id and client secret.
 
 ```bash
 cp -i clusters.example.yaml clusters.yaml
diff --git a/clusters.example.yaml b/clusters.example.yaml
@@ -4,6 +4,9 @@ clusters:
     address: 10.44.17.179
     port: 8443
     access_token: sampleToken
+    refresh_token: sampleRefreshToken
+    client_id: sampleClientId
+    client_secret: sampleClientSecret
     verify_ssl: false
     sync_schedules:
       - name: Every 5 minutes sync
@@ -14,6 +17,9 @@ clusters:
     address: 10.48.17.178
     port: 8443
     access_token: sampleToken1
+    refresh_token: sampleRefreshToken1
+    client_id: sampleClientId1
+    client_secret: sampleClientSecret1
     verify_ssl: false
     sync_schedules:
       - name: Every 3 hours sync
diff --git a/setup/README.md b/setup/README.md
@@ -93,8 +93,8 @@ Next create a token at https://AAP_CONTROLLER_FQDN:8443/#/users/<id>/tokens:
 - OAuth application: automation-dashboard-sso
 - Scope: read
 
-Store access token value.
-The access token is used in `clusters.yaml`.
+Store access token and refresh token values.
+They are used in `clusters.yaml`.
 
 #### Run installer
 
diff --git a/src/backend/apps/clusters/connector.py b/src/backend/apps/clusters/connector.py
@@ -8,7 +8,7 @@
 from django.db import transaction
 import urllib3
 
-from backend.apps.clusters.encryption import decrypt_value
+from backend.apps.clusters.encryption import decrypt_value, encrypt_value
 from backend.apps.clusters.models import (
     ClusterSyncData,
     ClusterSyncStatus,
@@ -84,8 +84,47 @@ def headers(self):
             'Accept': 'application/json',
         }
 
-    def execute_get_one(self, url, timeout=None):
-        logger.info(f'Executing GET request to {url}')
+    def _reauth(self, timeout=None):
+        url = f'{self.cluster.base_url}/api/o/token/'  # TODO AAP version
+        refresh_token = decrypt_value(self.cluster.refresh_token)
+        client_id = self.cluster.client_id
+        client_secret = decrypt_value(self.cluster.client_secret)
+
+        data = {
+            'grant_type': 'refresh_token',
+            'refresh_token': refresh_token,
+        }
+        headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+        }
+        auth = requests.auth.HTTPBasicAuth(client_id, client_secret)
+        try:
+            response = requests.post(
+                url=url,
+                data=data,
+                auth=auth,
+                verify=self.cluster.verify_ssl,
+                timeout=timeout if timeout is not None else self.timeout,
+                headers=headers)
+        except requests.exceptions.RequestException as e:
+            logger.error(f'Token refresh POST request failed with exception {e}')
+            return False
+        if not response.ok:
+            logger.error(f'Token refresh POST request failed with status {response.status_code} text={response.json()}')
+            return False
+        logger.info(f'Token refresh POST request succedded with status {response.status_code}')
+        resp = response.json()
+
+        self.cluster.access_token = encrypt_value(resp['access_token'])
+        self.cluster.refresh_token = encrypt_value(resp["refresh_token"])
+        self.access_token = resp['access_token']
+        self.cluster.save()
+
+        return True
+
+    def _get_with_reauth(self, url, timeout=None):
+        # try 1st time
         try:
             response = requests.get(
                 url=url,
@@ -95,8 +134,32 @@ def execute_get_one(self, url, timeout=None):
         except requests.exceptions.RequestException as e:
             logger.error(f'GET request failed with exception {e}')
             return None
-        if not response.ok:
-            logger.error(f'GET request failed with status {response.status_code}')
+        if response.ok:
+            return response
+
+        # Try to re-auth only after 401 error
+        logger.error(f'GET request failed with status {response.status_code}')
+        if response.status_code != 401:
+            return response
+        self._reauth()
+
+        # try 2nd time
+        try:
+            response = requests.get(
+                url=url,
+                verify=self.cluster.verify_ssl,
+                timeout=timeout if timeout is not None else self.timeout,
+                headers=self.headers)
+        except requests.exceptions.RequestException as e:
+            logger.error( f'GET request failed with exception {e}')
+            return None
+        logger.error(f'GET after reauth response.status_code={response.status_code}')
+        return  response
+
+    def execute_get_one(self, url, timeout=None):
+        logger.info(f'Executing GET request to {url}')
+        response = self._get_with_reauth(url, timeout=timeout)
+        if response is None or not response.ok:
             return None
         product_name = response.headers.get("X-Api-Product-Name", None)
         if product_name is None or product_name == "AWX":
@@ -228,13 +291,15 @@ def check_aap_version(self):
             if self.cluster.aap_version != ClusterVersionChoices.AAP25:
                 self.cluster.aap_version = ClusterVersionChoices.AAP25
                 self.cluster.save()
+            logger.info(f'Detected AAP version 2.5 at {self.cluster.base_url}')
             return True
 
         is_aap24_instance = self.is_aap24_instance
         if is_aap24_instance:
             if self.cluster.aap_version != ClusterVersionChoices.AAP24:
                 self.cluster.aap_version = ClusterVersionChoices.AAP24
                 self.cluster.save()
+            logger.info(f'Detected AAP version 2.4 at {self.cluster.base_url}')
             return True
         raise Exception(f'Not valid version for cluster {self.cluster.base_url}.')
 
diff --git a/src/backend/apps/clusters/management/commands/setclusters.py b/src/backend/apps/clusters/management/commands/setclusters.py
@@ -95,6 +95,8 @@ def handle(self, *args, **options):
         with transaction.atomic():
             for cluster in yaml_clusters:
                 cluster["access_token"] = encrypt_value(cluster["access_token"])
+                cluster["refresh_token"] = encrypt_value(cluster["refresh_token"])
+                cluster["client_secret"] = encrypt_value(cluster["client_secret"])
                 self.stdout.write(self.style.NOTICE('Adding cluster: address={}'.format(cluster.get("address"))))
                 try:
                     new_cluster = ClusterSettings(**cluster)
diff --git a/src/backend/apps/clusters/migrations/0015_cluster_client_id_cluster_client_secret_and_more.py b/src/backend/apps/clusters/migrations/0015_cluster_client_id_cluster_client_secret_and_more.py
@@ -0,0 +1,32 @@
+# Generated by Django 4.2.17 on 2025-09-11 11:30
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("clusters", "0014_alter_jobtemplate_time_taken_manually_execute_minutes"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="cluster",
+            name="client_id",
+            field=models.CharField(default="", max_length=255),
+        ),
+        migrations.AddField(
+            model_name="cluster",
+            name="client_secret",
+            field=models.BinaryField(
+                default=b"gAAAAABowrLecNtBPqVaiwVCI_HgFVnV7d_UDSeZvGHhUSjSJELYcD03DoyLz6NUy1RGVY5dAP-SsAbBvOkPFzNH4oVbkmurEw=="
+            ),
+        ),
+        migrations.AddField(
+            model_name="cluster",
+            name="refresh_token",
+            field=models.BinaryField(
+                default=b"gAAAAABowrLek-XxeqjYkiXMqHMrnKvHD4KGPTrANcdlUXDnTTbFNrXve3YG87iduL59_nevlZrYVPXueTMGk3UvA6nGJtrQYQ=="
+            ),
+        ),
+    ]
diff --git a/src/backend/apps/clusters/models.py b/src/backend/apps/clusters/models.py
@@ -14,6 +14,7 @@
 from django.db.models import QuerySet
 
 from backend.apps.clusters.schemas import DateRangeSchema, RelatedLinks
+from backend.apps.clusters.encryption import encrypt_value
 
 manual_time = settings.DEFAULT_TIME_TAKEN_TO_MANUALLY_EXECUTE_MINUTES
 automation_time = settings.DEFAULT_TIME_TAKEN_TO_CREATE_AUTOMATION_MINUTES
@@ -42,6 +43,9 @@ class Cluster(CreatUpdateModel):
     address = models.CharField(max_length=255)
     port = models.IntegerField()
     access_token = models.BinaryField()
+    refresh_token = models.BinaryField(default=encrypt_value(''))
+    client_id = models.CharField(max_length=255, default='')
+    client_secret = models.BinaryField(default=encrypt_value(''))
     verify_ssl = models.BooleanField(default=True)
     aap_version = models.CharField(max_length=15, choices=ClusterVersionChoices.choices, default=ClusterVersionChoices.AAP24)
 
diff --git a/src/backend/apps/clusters/schemas.py b/src/backend/apps/clusters/schemas.py
@@ -20,6 +20,9 @@ class ClusterSettings(FrozenModel):
     address: str
     port: int
     access_token: bytes
+    refresh_token: bytes
+    client_id: str
+    client_secret: bytes
     verify_ssl: bool = True
     sync_schedules: List[SyncSchedule] | None = []
 
