AnsweredAssumed Answered

Parallel sessions using the same access tokens

Question asked by Jan Aelbrecht on Feb 13, 2020
Latest reply on Feb 17, 2020 by Jan Aelbrecht




We have an integration which allows us to call the SugarCRM API by using the authentication tokens of a certain SugarCRM user. Now, our customers have a problem: their refresh token become invalid (invalid_grant) and we cannot find any way to reproducing this.

As far as I know, refresh tokens only get invalidated whenever a new access token for a certain user is requested under the same platform.


Situation sketch

- One user authenticates to with SugarCRM and recieves the access (& refresh) token which authenticate our connector

- Then, other users can use this connector to retrieve (meta-)data from SugarCRM

- To realise this, we have a connection pool with a number of http-clients which use these these tokens (they can be used simultaneously)

- The moment we do an api call, we refresh the token if it is expired (minus an offset of a couple of minutes)

- Refreshing is done synchronized and all clients now use the renewed access token


I read something interesting in this post


"You can't have multiple clients connecting to same Sugar instance using same platform id at same time or you'll run into session conflicts.". Matt Marum


So my actual question: is it possible my refresh token is invalidated while trying to use the SugarCRM rest api with multiple http-clients at the same time with one access token?


Recently, we also started to have this warning: 

Invalid cookie header: "Set-Cookie: AWSALB=qi4YCymX2Y9JifxIhN...vNXPOGlOW2P7KqY7acJgAUdojIlK; Expires=Thu, 20 Feb 2020 08:38:58 GMT; Path=/". Invalid 'expires' attribute: Thu, 20 Feb 2020 08:38:58 GMT 

I don't know if it's relevant.



Thanks for helping