Skip to content

Trusted Publishing: include an expiration key in the mint-token response? #18235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
woodruffw opened this issue Jun 5, 2025 · 1 comment · May be fixed by #18238
Open

Trusted Publishing: include an expiration key in the mint-token response? #18235

woodruffw opened this issue Jun 5, 2025 · 1 comment · May be fixed by #18238
Labels
feature request trusted-publishing

Comments

@woodruffw
Copy link
Member

Filing this for discussion/feedback before I send a small PR 🙂

This idea came out of a discussion with @sigmavirus24 via the "automatic token refresh" idea in pypa/twine#1246 -- the basic idea there is that twine (and other tools) want to automatically refresh their TP-issued API tokens so that long-running multi-file uploads don't fail when the token expires between files.

From this, the observation is that twine (and other tools) need a way to know when they should refresh the API token. To do this they need to know when the token is going to expire, so that they can refresh with sufficient leeway.

This is technically possible today: any tool that uses the mint-token endpoint to do a TP exchange can decode the resulting macaroon and extract the expiration caveat. However, doing so means employing a macaroon deserializer, which is a nontrivial dependency to add to foundational dependencies like twine. Additionally, it requires client tools to track and maintain compatibility with PyPI's caveat encoding, which is not a public API (and has changed in the past).

Proposed solution

Rather than requiring tools to decode and consume the macaroon's caveat, the mint-token endpoint could duplicate the expiry directly in the response.

This should be trivial to do, since the expiry is computed directly in the mint_token helper right before being added to its caveat:

warehouse/warehouse/oidc/views.py

Line 278 in bb6a22c

expires_at = not_before + 900

In effect, the success response from mint-token would change from:

{
  "success": true,
  "token": "pypi-..."
}

to:

{
  "success": true,
  "token": "pypi-...",
  "expires": <unix timestamp>
}

...where <unix timestamp> is the exact same timestamp as in the macaroon's expiration caveat.

I believe this poses no significant backwards compatibility risk, since it's a new field.

Alternatives considered

  1. Instead of attempting to refresh the token "intelligently," tools could refresh it on every file upload. This would work and avoid the immediate expiration problem, but would result in a much larger volume of security event noise (since each TP exchange produces a project-level security event).
  2. Tools could absorb a bit of additional complexity and decode the Macaroon themselves, although this would come with compatibility risks around the caveat encoding.

CC @di @ewdurbin @miketheman for thoughts 🙂
@sigmavirus24
Copy link
Contributor

Other idea is for tools to know when they got the response and guesstimate the issue time to track when they might need to replace it but that introduces a hard-coded value potentially which could be wrong later if PyPI changes validity periods for the token

This was referenced Jun 7, 2025
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request trusted-publishing
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

oidc: add expiry key to mint_token response woodruffw-forks/warehouse
2 participants
@sigmavirus24 @woodruffw