Skip to content

[25.0] Check for expiration in refresh token dictionary #20954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 30, 2025
Merged

[25.0] Check for expiration in refresh token dictionary #20954

merged 1 commit into from
Sep 30, 2025

Conversation

jdavcs
Copy link
Member

@jdavcs jdavcs commented Sep 26, 2025

Fixes #20855

We check for refresh token's expiration in user_authnz_token.extra_data, which must have worked for other providers. For tapis, however, this does not work because tapis stores the following data structure in the extra_data field:

{
 'access_token': [token code],
 'auth_time': 1757700000,
 'refresh_token': {
    'expires_at': '[date/time data]',
    'expires_in': 31500000,
    'jti': [jti],
    'refresh_token': [refresh token code]
 },
 'token_type': None
}

As a result, this warning is logged No expiresorexpires_in key found in token extra data, cannot refresh on each web transaction.

@nuwang: w.r.t. your comment, I don't think we should fix this in the tapis implementation: we have only one extra_data field, and it's already storing other data including the mapping that contains these keys. Even if we override set_extra_data, I don't think we should store refresh token expiration data alongside the access token data (by flattening the data). Let me know if you had a different approach in mind.

This solution also fixes a bug: in the current code, if the expires or expires_at key exists in the extra_data dictionary, but the value is None, this line will cause a TypeError.

This has been tested on cfde-galaxy-dev.

NOTE: Due to this bug, token refreshing functionality was broken. Fixing it will result in, potentially, spamming tapis with token refresh attempts - I don't know whether that will cause a problem; and if it does, we should disable token refreshing until we have a better solution (see related discussion: #20821)
(ping @natefoo)

How to test the changes?

(Select all options that apply)

  • I've included appropriate automated tests.
  • This is a refactoring of components with existing test coverage.
  • Instructions for manual testing are as follows:
    1. [add testing steps and prerequisites here if you didn't write automated tests covering all your changes]

License

  • I agree to license these and all my past contributions to the core galaxy codebase under the MIT license.

@jdavcs
Check for expiration in refresh token dict
9c79d36 
Accommodates tapis provider
@jdavcs jdavcs requested review from dannon and nuwang September 26, 2025 02:29
@jdavcs jdavcs added kind/bug area/auth Authentication and authorization labels Sep 26, 2025
@github-actions github-actions bot added this to the 25.1 milestone Sep 26, 2025
@dannon dannon merged commit 7a5abce into galaxyproject:release_25.0 Sep 30, 2025
51 of 53 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dannon dannon dannon approved these changes

@nuwang nuwang Awaiting requested review from nuwang

Assignees

No one assigned

Labels

area/auth Authentication and authorization kind/bug

Projects

None yet

Milestone

25.1

Development

Successfully merging this pull request may close these issues.

2 participants

@jdavcs @dannon