Unverified Commit eed87c4c authored by John Davis's avatar John Davis Committed by GitHub
Browse files

Merge pull request #20821 from jdavcs/24.2_refresh_token 

[24.2] Fix token refresh bug (cilogon)
parents 4ea216f0 7041b6ba

lib/galaxy/authnz/custos_authnz.py

+12 −4
Original line number Diff line number Diff line
@@ -123,11 +123,19 @@ class OIDCAuthnzBase(IdentityProvider): 
            return False

        if not custos_authnz_token.refresh_token:

            return False



        # Try to extract expiration date from the refresh token. If expired, do not refresh token.

        try:

            refresh_token_decoded = self._decode_token_no_signature(custos_authnz_token.refresh_token)

            # do not attempt to use refresh token that is already expired

            if int(refresh_token_decoded["exp"]) <= int(time.time()):

                # in the future we might want to log out the user here

                return False

        except jwt.exceptions.DecodeError:

            log.warning("Refresh token cannot be decoded. Galaxy does not support non-decodable refresh tokens.")

            # If the refresh token is non-decodable, we do not use it because we cannot reliably determine its expiration date. See discussion in https://github.com/galaxyproject/galaxy/pull/20821

            return False



        oauth2_session = self._create_oauth2_session()

        token_endpoint = self.config.token_endpoint

        if self.config.iam_client_secret: