Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check expiry of the cached OIDC token introspections #43994

Merged
merged 1 commit into from
Oct 21, 2024
Merged

Check expiry of the cached OIDC token introspections #43994

merged 1 commit into from
Oct 21, 2024

Conversation

sberyozkin
Copy link
Member

When the opaque token is introspected remotely, its expiry time is checked and then it can be optionally saved in the token introspection cache. If it goes to the cache then its validity period becomes equal to the cache entry time to live.

This PR checks the token introspection expiry time even when it is cached, and removes it from the cache eagerly if the introspection has expired.

Right now this is only done at the default token introspection cache level, custom ones should be managing expired token introspections themselves.
I've tried to make this PR work even for custom token introspection caches to make it easier for custom caches, but the PR becomes more involved and may not be backportable, as a new TokenIntospectionCache.remove method is required so I'll deal with it later.

Added a test to confirm that when the token introspection has expired, with the cache entry time to live beng significantly larger (tokens are valid for 10 or 3 secs, the cache entry for 3 mins), then the token introspection which is valid for 3 secs will be removed after 5 secs.

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Oct 21, 2024
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit eeed776.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

@sberyozkin sberyozkin merged commit 1b11ce1 into quarkusio:main Oct 21, 2024
23 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.17 - main milestone Oct 21, 2024
@sberyozkin sberyozkin deleted the oidc_token_introspection_expired_token branch October 21, 2024 15:26
@gsmet gsmet modified the milestones: 3.17 - main, 3.16.0 Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gastaldi gastaldi gastaldi approved these changes

@pedroigor pedroigor Awaiting requested review from pedroigor

Assignees
No one assigned
Labels
area/oidc triage/backport-3.8
Projects
None yet
Milestone
3.16.0
Development

Successfully merging this pull request may close these issues.
3 participants
@sberyozkin @gastaldi @gsmet