Refresh OAuth2 tokens automatically#8355
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces OAuth2 token refreshing, both manually via a new oidc_child command and automatically through a new configuration option. The changes span configuration, database schema, the oidc_child tool, and the idp provider. While the overall implementation is solid, I've identified several issues, including copy-paste errors in logging that could be misleading, a critical bug in parsing input that may cause token refresh to fail, and a minor bug where a function's return value is not checked.
eisenmann-b1
force-pushed
the
oauth2-cache-and-refresh-tokens
branch
2 times, most recently
from
c5c8af9 to
d3ff2c7
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
eisenmann-b1
force-pushed
the
oauth2-cache-and-refresh-tokens
branch
2 times, most recently
from
e58ab81 to
dbc3520
Compare
eisenmann-b1
force-pushed
the
oauth2-cache-and-refresh-tokens
branch
5 times, most recently
from
0f6575c to
1e9233f
Compare
eisenmann-b1
force-pushed
the
oauth2-cache-and-refresh-tokens
branch
2 times, most recently
from
80f541f to
c7cc462
Compare
eisenmann-b1
force-pushed
the
oauth2-cache-and-refresh-tokens
branch
from
c7cc462 to
1f8a5f4
Compare
|
Hi @eisenmann-b1 , While @sumit-bose and @alexey-tikhonov are reviewing the code, I'd like to get an idea of how urgent this PR is. Can you let us know when you are looking to get this merged? And for what target distro you'd like to be able to start using it? This will help us plan for testing this PR as well as potentially expanding existing tests to cover this. Thanks, |
|
Hi @spoore1,
Well, I just hope it makes it into 2.13 :)
I am currently using Ubuntu 24.04 for testing it, but I don't think anything in here is platform-specific. |
4 participants
This adds token refreshing functionality.
List of changes:
Getting the tokens from cache currently requires the use of 3rd party tools, like ldbsearch.
If support for the systemd-userdb varlink interface is added In the future, the tokens could be exposed there as privileged user attributes.
--refresh-access-tokentooidc_child:If set, a refresh token is read from standard input, that is then used to acquire a new set of tokens (access, id, refresh) via
refresh_tokengrant type.idp_auto_refresh:If set to
true(defaultfalse), tokens are automatically refreshed after reaching half their lifetime.A refresh is scheduled after successful authentication.
The event is stored in a hash table with user UUID as key, so there will be at most one refresh scheduled per user.
For now, refreshes are not scheduled from cache, i.e. restarting sssd will stop refreshes.