From 0fcd584b654ff26b6b2e272b7fe0ca425f3a1056 Mon Sep 17 00:00:00 2001 From: Michael Cardenas Date: Mon, 16 Sep 2024 14:38:52 -0700 Subject: [PATCH 1/6] Add token within expiry grace period check --- client.go | 8 +++++++- tokencache/cache_token_source.go | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/client.go b/client.go index 8dc418a..6c8502a 100644 --- a/client.go +++ b/client.go @@ -15,7 +15,8 @@ import ( const ( // ScopeOfflineAccess requests a refresh token - ScopeOfflineAccess = "offline_access" + ScopeOfflineAccess = "offline_access" + TokenExpirationGracePeriod = time.Duration(30 * time.Second) ) type KeySource interface { @@ -159,6 +160,11 @@ func (t *Token) Valid() bool { t.IDToken != "" } +func (t *Token) WithinGracePeriod() bool { + gracePeriodStart := t.Claims.Expiry.Time().Add(-TokenExpirationGracePeriod) + return gracePeriodStart.Before(time.Now()) && t.Valid() +} + // Type of the token func (t *Token) Type() string { // only thing we support for now diff --git a/tokencache/cache_token_source.go b/tokencache/cache_token_source.go index 00f0642..c84054e 100644 --- a/tokencache/cache_token_source.go +++ b/tokencache/cache_token_source.go @@ -87,7 +87,7 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) { } var newToken *oidc.Token - if token != nil && token.Valid() { + if token != nil && token.Valid() && !token.WithinGracePeriod() { return token, nil } else if token != nil && token.RefreshToken != "" { // we have an expired token, try and refresh if we can. From 112f5eafd9b42569fcf6f541d003558920794c2c Mon Sep 17 00:00:00 2001 From: Michael Cardenas Date: Tue, 17 Sep 2024 12:11:54 -0700 Subject: [PATCH 2/6] Migrate WithinGracePeriod --- client.go | 8 +------- tokencache/cache_token_source.go | 12 +++++++++++- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/client.go b/client.go index 6c8502a..8dc418a 100644 --- a/client.go +++ b/client.go @@ -15,8 +15,7 @@ import ( const ( // ScopeOfflineAccess requests a refresh token - ScopeOfflineAccess = "offline_access" - TokenExpirationGracePeriod = time.Duration(30 * time.Second) + ScopeOfflineAccess = "offline_access" ) type KeySource interface { @@ -160,11 +159,6 @@ func (t *Token) Valid() bool { t.IDToken != "" } -func (t *Token) WithinGracePeriod() bool { - gracePeriodStart := t.Claims.Expiry.Time().Add(-TokenExpirationGracePeriod) - return gracePeriodStart.Before(time.Now()) && t.Valid() -} - // Type of the token func (t *Token) Type() string { // only thing we support for now diff --git a/tokencache/cache_token_source.go b/tokencache/cache_token_source.go index c84054e..15ba92c 100644 --- a/tokencache/cache_token_source.go +++ b/tokencache/cache_token_source.go @@ -3,10 +3,15 @@ package tokencache import ( "context" "fmt" + "time" "github.com/pardot/oidc" ) +const ( + TokenExpirationGracePeriod = time.Duration(30 * time.Second) +) + type cachingTokenSource struct { src oidc.TokenSource cache CredentialCache @@ -87,7 +92,7 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) { } var newToken *oidc.Token - if token != nil && token.Valid() && !token.WithinGracePeriod() { + if token != nil && token.Valid() && !c.WithinGracePeriod(token) { return token, nil } else if token != nil && token.RefreshToken != "" { // we have an expired token, try and refresh if we can. @@ -114,3 +119,8 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) { return newToken, nil } + +func (c *cachingTokenSource) WithinGracePeriod(token *oidc.Token) bool { + gracePeriodStart := token.Claims.Expiry.Time().Add(-TokenExpirationGracePeriod) + return gracePeriodStart.Before(time.Now()) && token.Valid() +} From 49e3237e5ccf6eb03d7558e707b3c2ea8675fb02 Mon Sep 17 00:00:00 2001 From: Michael Cardenas Date: Tue, 17 Sep 2024 12:50:15 -0700 Subject: [PATCH 3/6] Deassociate --- tokencache/cache_token_source.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tokencache/cache_token_source.go b/tokencache/cache_token_source.go index 15ba92c..63cf9d9 100644 --- a/tokencache/cache_token_source.go +++ b/tokencache/cache_token_source.go @@ -92,7 +92,7 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) { } var newToken *oidc.Token - if token != nil && token.Valid() && !c.WithinGracePeriod(token) { + if token != nil && token.Valid() && TokenWithinGracePeriod(token) { return token, nil } else if token != nil && token.RefreshToken != "" { // we have an expired token, try and refresh if we can. @@ -120,7 +120,7 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) { return newToken, nil } -func (c *cachingTokenSource) WithinGracePeriod(token *oidc.Token) bool { +func TokenWithinGracePeriod(token *oidc.Token) bool { gracePeriodStart := token.Claims.Expiry.Time().Add(-TokenExpirationGracePeriod) return gracePeriodStart.Before(time.Now()) && token.Valid() } From 8e9a56f7256e28ab2468999834760c7f1f06caf9 Mon Sep 17 00:00:00 2001 From: Michael Cardenas Date: Tue, 17 Sep 2024 12:50:49 -0700 Subject: [PATCH 4/6] Not --- tokencache/cache_token_source.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tokencache/cache_token_source.go b/tokencache/cache_token_source.go index 63cf9d9..d500116 100644 --- a/tokencache/cache_token_source.go +++ b/tokencache/cache_token_source.go @@ -92,7 +92,7 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) { } var newToken *oidc.Token - if token != nil && token.Valid() && TokenWithinGracePeriod(token) { + if token != nil && token.Valid() && !TokenWithinGracePeriod(token) { return token, nil } else if token != nil && token.RefreshToken != "" { // we have an expired token, try and refresh if we can. From 05e651a5067078424ad57aa830f5717bd0b00855 Mon Sep 17 00:00:00 2001 From: Michael Cardenas Date: Wed, 18 Sep 2024 05:44:26 -0700 Subject: [PATCH 5/6] Unexport --- tokencache/cache_token_source.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tokencache/cache_token_source.go b/tokencache/cache_token_source.go index d500116..b03ce9c 100644 --- a/tokencache/cache_token_source.go +++ b/tokencache/cache_token_source.go @@ -92,7 +92,7 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) { } var newToken *oidc.Token - if token != nil && token.Valid() && !TokenWithinGracePeriod(token) { + if token != nil && token.Valid() && !tokenWithinGracePeriod(token) { return token, nil } else if token != nil && token.RefreshToken != "" { // we have an expired token, try and refresh if we can. @@ -120,7 +120,7 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) { return newToken, nil } -func TokenWithinGracePeriod(token *oidc.Token) bool { +func tokenWithinGracePeriod(token *oidc.Token) bool { gracePeriodStart := token.Claims.Expiry.Time().Add(-TokenExpirationGracePeriod) return gracePeriodStart.Before(time.Now()) && token.Valid() } From 8bd9ccfc691f01528731d1452c34b0efea652f7a Mon Sep 17 00:00:00 2001 From: Michael Cardenas Date: Wed, 18 Sep 2024 06:12:42 -0700 Subject: [PATCH 6/6] Unexport var --- tokencache/cache_token_source.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tokencache/cache_token_source.go b/tokencache/cache_token_source.go index b03ce9c..6e9ec94 100644 --- a/tokencache/cache_token_source.go +++ b/tokencache/cache_token_source.go @@ -9,7 +9,7 @@ import ( ) const ( - TokenExpirationGracePeriod = time.Duration(30 * time.Second) + tokenExpirationGracePeriod = time.Duration(30 * time.Second) ) type cachingTokenSource struct { @@ -121,6 +121,6 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) { } func tokenWithinGracePeriod(token *oidc.Token) bool { - gracePeriodStart := token.Claims.Expiry.Time().Add(-TokenExpirationGracePeriod) + gracePeriodStart := token.Claims.Expiry.Time().Add(-tokenExpirationGracePeriod) return gracePeriodStart.Before(time.Now()) && token.Valid() }