Skip to content

[23.1] Renew access tokens from PSA using valid refresh tokens #20040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: release_23.1
Choose a base branch
from
Open

[23.1] Renew access tokens from PSA using valid refresh tokens #20040

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion lib/galaxy/authnz/psa_authnz.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,11 @@ def refresh(self, trans, user_authnz_token):
else:
log.debug("No `expires` or `expires_in` key found in token extra data, cannot refresh")
return False
if int(user_authnz_token.extra_data["auth_time"]) + int(expires) / 2 <= int(time.time()):
if (
int(user_authnz_token.extra_data["auth_time"]) + int(expires) / 2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the expires is "seconds to expire from issue time" then this comparison is broken I think

<= int(time.time())
< int(user_authnz_token.extra_data["auth_time"]) + int(expires)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tokens I am getting have e.g. "exp": 1739534619 so the operation you are doing here will compare to year ~2080. I think you just need the expiration time here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's confusing. In the database (table oidc_user_authnz_tokens), I have tokens with provider in ('elixir', 'egi-checkin') (those are the only providers) and their extra_data looks like this.

{
  "access_token": "************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
  "auth_time": 1738768462,
  "expires_in": 3600,
  "id_token": "**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
  "refresh_token": "*************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
  "token_type": "Bearer"
}

Don't the tokens you are referring to come from table custos_authnz_token? Those indeed seem to use an expiration timestamp (rather than an increment that has to be added to a timestamp).

Copy link
Member

@martenson martenson Apr 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kysrpex ugh, that is a disastrous split on how to handle this. :/

Maybe just my tokens (which are indeed from custos_authnz_token) are different, however on L174 you are checking for expires in addition to expires_in though -- could these two have different handling even in the same codepath?

):
on_the_fly_config(trans.sa_session)
if self.config["provider"] == "azure":
self.refresh_azure(user_authnz_token)
Expand Down
Loading