From 48a8c411917bcf6e9d43e2d31a2a19f6f226131f Mon Sep 17 00:00:00 2001
From: Gregory Cage <cagege@ornl.gov>
Date: Fri, 13 Jun 2025 16:02:25 -0400
Subject: [PATCH 1/2] Refresh expired tokens when verifying incoming tokens

---
 lib/galaxy/authnz/custos_authnz.py | 3 ++-
 lib/galaxy/authnz/managers.py      | 6 +++---
 lib/galaxy/authnz/psa_authnz.py    | 9 +++++----
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py
index c69b415673..d8fd3a6f5f 100644
--- a/lib/galaxy/authnz/custos_authnz.py
+++ b/lib/galaxy/authnz/custos_authnz.py
@@ -128,7 +128,7 @@ class OIDCAuthnzBase(IdentityProvider):
         # do not refresh tokens if last token is too old
         skip_old_tokens_threshold_seconds = skip_old_tokens_threshold_days * 86400  # 86400 seconds in a day
         if int(id_token_decoded["iat"]) + skip_old_tokens_threshold_seconds < int(time.time()):
-            return False
+            raise Exception("Expired Tokens. User needs to sign in.")
 
         oauth2_session = self._create_oauth2_session()
         token_endpoint = self.config.token_endpoint
@@ -590,6 +590,7 @@ class OIDCAuthnzBase(IdentityProvider):
 
         custos_authnz_token = self._get_custos_authnz_token(sa_session, user_id, self.config.provider)
         user = custos_authnz_token.user if custos_authnz_token else None
+        self.refresh(sa_session, custos_authnz_token, 90)
         return user, decoded_jwt
 
 
diff --git a/lib/galaxy/authnz/managers.py b/lib/galaxy/authnz/managers.py
index 0a08b56326..ac89b40dce 100644
--- a/lib/galaxy/authnz/managers.py
+++ b/lib/galaxy/authnz/managers.py
@@ -298,16 +298,16 @@ class AuthnzManager:
                     msg = f"An error occurred when refreshing user token on `{auth.provider}` identity provider: {message}"
                     log.error(msg)
                     return False
-                refreshed = backend.refresh(trans, auth, 30)
+                refreshed = backend.refresh(trans.sa_session, auth, 30)
                 if refreshed:
                     log.debug(f"Refreshed user token via `{auth.provider}` identity provider")
                 return True
             except BlockingIOError:
                 log.debug("Another process is refreshing, skipping")
                 return True
-            except Exception:
+            except Exception as e:
                 log.exception("An error occurred when refreshing user token")
-                return False
+                raise e
 
     def refresh_expiring_oidc_tokens(self, trans, user=None):
         user = trans.user or user
diff --git a/lib/galaxy/authnz/psa_authnz.py b/lib/galaxy/authnz/psa_authnz.py
index 65ef74f312..70451874d3 100644
--- a/lib/galaxy/authnz/psa_authnz.py
+++ b/lib/galaxy/authnz/psa_authnz.py
@@ -180,7 +180,7 @@ class PSAAuthnz(IdentityProvider):
         extra_data["expires"] = int(expires - time.time())
         user_authnz_token.set_extra_data(extra_data)
 
-    def refresh(self, trans, user_authnz_token, skip_old_tokens_threshold_days):
+    def refresh(self, sa_session, user_authnz_token, skip_old_tokens_threshold_days):
         if not user_authnz_token or not user_authnz_token.extra_data:
             return False
         # refresh tokens if they reached their half lifetime
@@ -195,17 +195,17 @@ class PSAAuthnz(IdentityProvider):
         # do not refresh tokens if last token is too old
         skip_old_tokens_threshold_seconds = skip_old_tokens_threshold_days * 86400  # 86400 seconds in a day
         if int(user_authnz_token.extra_data["auth_time"]) + skip_old_tokens_threshold_seconds < int(time.time()):
-            return False
+            raise Exception("Expired Tokens. User needs to sign in.")
 
         if int(user_authnz_token.extra_data["auth_time"]) + int(expires) / 2 <= int(time.time()):
-            on_the_fly_config(trans.sa_session)
+            on_the_fly_config(sa_session)
             log.debug(
                 f"Refreshing user token for {user_authnz_token.uid} via `{user_authnz_token.provider}` identity provider"
             )
             if self.config["provider"] == "azure":
                 self.refresh_azure(user_authnz_token)
             else:
-                strategy = Strategy(None, trans.sa_session, Storage, self.config)
+                strategy = Strategy(None, sa_session, Storage, self.config)
                 user_authnz_token.refresh_token(strategy)
             log.debug(
                 f"Refreshed user token for {user_authnz_token.uid} via `{user_authnz_token.provider}` identity provider"
@@ -329,6 +329,7 @@ class PSAAuthnz(IdentityProvider):
         user_id = decoded_jwt["unique_name"]
         authnz_token = self._get_authnz_token(sa_session, user_id, self.config["provider"])
         user = authnz_token.user if authnz_token else None
+        self.refresh(sa_session, authnz_token, 90)
         return user, decoded_jwt
 
     @staticmethod
-- 
GitLab


From a48da1fd1d53c3e7b489beff6bc00ea23c96038f Mon Sep 17 00:00:00 2001
From: Gregory Cage <cagege@ornl.gov>
Date: Mon, 16 Jun 2025 13:43:09 -0400
Subject: [PATCH 2/2] Return false when refresh error occurs

---
 lib/galaxy/authnz/managers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/galaxy/authnz/managers.py b/lib/galaxy/authnz/managers.py
index ac89b40dce..117258dafa 100644
--- a/lib/galaxy/authnz/managers.py
+++ b/lib/galaxy/authnz/managers.py
@@ -307,7 +307,7 @@ class AuthnzManager:
                 return True
             except Exception as e:
                 log.exception("An error occurred when refreshing user token")
-                raise e
+                return False
 
     def refresh_expiring_oidc_tokens(self, trans, user=None):
         user = trans.user or user
-- 
GitLab