Handle 401 Unauthorized errors by refreshing and retrying token in FMC scripts #46
Description
Problem
When using the CiscoFMC integration scripts (add_ip.py, remove_ip.py, etc.), a 401 Unauthorized error ("Access token invalid") can occur if the access token is expired or invalid. Currently, the scripts do not automatically handle this error by refreshing the token and retrying the API call. This results in failed operations and requires manual intervention.
Impact
- Operations that require authentication (such as adding or removing an IP from a Dynamic Object) may fail unexpectedly when the token is expired.
- Users must manually re-run scripts or refresh tokens, reducing automation reliability.
Proposed Solution
- In all scripts that make authenticated API calls to Cisco FMC (e.g., add_ip.py, remove_ip.py, ciscofmc_authorization.py, ciscofmc_test.py), implement logic to detect a 401 response.
- On receiving a 401, call
get_auth_token()to refresh the token and retry the failed request once automatically. - If the retry also fails, log the failure and return an error as before.
Acceptance Criteria
- All relevant scripts automatically attempt to refresh the token and retry the API call on 401 Unauthorized.
- The solution is implemented in at least add_ip.py, remove_ip.py, ciscofmc_authorization.py, and ciscofmc_test.py.
- Logging clearly documents token refresh and retry attempts.
References
- User request and troubleshooting session: https://github.com/Forescout/eyeExtend-Connect/discussions/xxx (replace with appropriate discussion if exists)
- Example log output for 401 errors:
'Access token invalid.'
Labels: bug, authentication, token, 401