Skip to content

Refresh OAuth2 tokens automatically #8355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
eisenmann-b1 wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

Refresh OAuth2 tokens automatically #8355

eisenmann-b1 wants to merge 9 commits into from
+725 −57

Conversation

@eisenmann-b1
Copy link
Contributor

@eisenmann-b1 eisenmann-b1 commented Jan 15, 2026

This adds token refreshing functionality.

List of changes:

  • Tokens are saved as user attrs in the cache.
  • Add flag --refresh-access-token to oidc_child:
    If set, a refresh token is read from standard input, that is then used to acquire a new set of tokens (access, id, refresh) via refresh_token grant type.
  • Add option idp_auto_refresh:
    If set to true (default false), tokens are automatically refreshed, after reaching half their lifetime.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 15, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces OAuth2 token refreshing, both manually via a new oidc_child command and automatically through a new configuration option. The changes span configuration, database schema, the oidc_child tool, and the idp provider. While the overall implementation is solid, I've identified several issues, including copy-paste errors in logging that could be misleading, a critical bug in parsing input that may cause token refresh to fail, and a minor bug where a function's return value is not checked.

src/oidc_child/oidc_child.c
Comment on lines +183 to +186
sep = strchr(str, '\n');
if (sep != NULL) {
*sep = '\0';
}
Copy link

@gemini-code-assist gemini-code-assist bot Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

There's a bug here when reading the refresh token from stdin if a client secret is also provided. The str variable points to the client secret at this point, so strchr(str, '\n') will always be NULL. This means a newline at the end of the refresh token will not be stripped, which can break the subsequent POST request. You should search for the newline in *token instead.

    sep = strchr(*token, '\n');
    if (sep != NULL) {
        *sep = '\0';
    }

@eisenmann-b1 eisenmann-b1 force-pushed the oauth2-cache-and-refresh-tokens branch 2 times, most recently from c5c8af9 to d3ff2c7 Compare January 15, 2026 09:36
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 15, 2026
View reviewed changes
@eisenmann-b1 eisenmann-b1 force-pushed the oauth2-cache-and-refresh-tokens branch from d3ff2c7 to e58ab81 Compare January 15, 2026 12:48
@eisenmann-b1 eisenmann-b1 force-pushed the oauth2-cache-and-refresh-tokens branch from e58ab81 to dbc3520 Compare January 21, 2026 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eisenmann-b1