Problems with token authentication -generated using REST API

Hi,
i want to embed Notebooks in iFrame and therefore would like to authenticate users only using token in URL (?token=).

As i don’t want to persist tokens and REST GET API doesn’t return value to use, I’m always generate new one, when user navigate/refresh page, “expires_in” property always set.

Problem #1: After some time i see user token with: “expires_at”: null, and partial scopes, is it OK? I always set “expires_in” for all tokens.

Problem #2: after few token generations(not sure about the exact flow), I start getting
403 and can’t navigate to Notebook anymore, or sometimes can navigate, but cell executions just don’t print any results, since connection to kernel failing
Is there any configuration to fix this? Is my flow to generate token each time is not correct?

Any help/hint will be highly appreciated,
Yan

How do you ‘see’ this? It could be e.g. the server API token that the user’s server users to talk to the Hub API (it does not expire at a specific time, instead it expires when the server stops).

For problem 2, it would help to see logs surrounding the errors and more configuration of how user servers are spawned and the tokens requested. It should be fine to generate as many tokens as you like.

Thanks a lot @minrk !
#1. I see it using Postman, currently testing user: u15

{
            "user": "u15",
            "id": "a61",
            "kind": "api_token",
            "roles": [],
            "scopes": [
                "read:users:name!user=u15",
                "users:activity!user=u15",
                "access:servers!user=u15",
                "read:users:activity!user=u15",
                "read:users:groups!user=u15"
            ],
            "created": "2022-11-11T12:23:05.065515Z",
            "last_activity": "2022-11-11T12:23:13.312732Z",
            "expires_at": null,
            "note": "Server at /user/u15/",
            "session_id": null,
            "oauth_client": "JupyterHub"
}

#2 I just see that the kernel in starting state and it doesn’t change(since yesterday), from the browser debugger: response to: “/user/u15/api/kernels” is:

[{"id": "0bf11953-69b7-4871-a1b7-44e0322bfa6d", "name": "python3", "last_activity": "2022-11-11T12:34:47.410386Z", "execution_state": "starting", "connections": 0}]

stop/start options from the menu didn’t help.

BTW, if i create new user + token + server (u16) it works great, but if i’ll start to creating more token for it, i’ll see the same problem.

Thank you,
Yan

Ok, I am getting closer.
#2 seems like some browser storage problem. When i clear Chrome cache problem solved, but after a while showing again.
Maybe when new token is generated, browser fails to create/override cookies.

I’ll try to call some request that returns:

Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"

before generating new token.

This bit:

tells us it’s the server’s own API token. It should go away when the server stops. These tokens will exist while servers are running. They don’t have time-based expiry, but they are revoked at server shutdown.

@minrk Thanks a lot!!!