fix(token): prevent reload loop from refresh-token rotation race#1450
Open
solracsf wants to merge 1 commit into
Open
fix(token): prevent reload loop from refresh-token rotation race#1450solracsf wants to merge 1 commit into
solracsf wants to merge 1 commit into
Conversation
Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix #1449
After #1391 introduced proactive token refresh at half the token lifetime, users on rotating-refresh-token IdPs (reported with Authentikk #1175 and #1449 for context.) get bounced through the full OIDC re-login flow during active sessions, losing unsaved work.
TokenService::checkLoginToken()runs on every request (wired inApplication::boot). Once the token passes half-life, every request, including parallel background polls (notifications, user_status heartbeat), attempts a refresh. With refresh-token rotation, two concurrent requests race: the winner refreshes and the IdP rotates/invalidates the old refresh token; the loser then presents that already-rotated token, which the IdP rejects (or treats as token-reuse and revokes the whole family).The token can no longer be refreshed, so
reauthenticate()issues a hard redirect.The per-session lock added in #1391 didn't prevent this: its double-check read
$this->session(a per-request in-memory snapshot), which is stale on non-locking session backends (Redis/memcached), exactly the setups where parallel requests aren't serialized.🤖 AI (if applicable)