From 4ab33d0923529ad5c8f2267b45ac96c08ee1772e Mon Sep 17 00:00:00 2001 From: John Duggan Date: Wed, 11 Feb 2026 17:40:15 -0500 Subject: [PATCH 1/4] Test custos fix for XCAMS/keycloak login --- lib/galaxy/authnz/custos_authnz.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py index 977f734f35..ecf8488da3 100644 --- a/lib/galaxy/authnz/custos_authnz.py +++ b/lib/galaxy/authnz/custos_authnz.py @@ -168,8 +168,7 @@ class OIDCAuthnzBase(IdentityProvider): custos_authnz_token.refresh_expiration_time = processed_token["refresh_expiration_time"] sa_session.add(custos_authnz_token) - with transaction(sa_session): - sa_session.commit() + sa_session.commit() log.debug( f"Refreshed user token for {custos_authnz_token.external_user_id} via `{custos_authnz_token.provider}` identity provider" -- GitLab From d78cbea1d8b9ddbcdae083ea6bea488c168d038c Mon Sep 17 00:00:00 2001 From: John Duggan Date: Thu, 12 Feb 2026 10:27:54 -0500 Subject: [PATCH 2/4] Fix well known uri retrieval --- lib/galaxy/authnz/psa_authnz.py | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/galaxy/authnz/psa_authnz.py b/lib/galaxy/authnz/psa_authnz.py index 37046f064f..052f6970f1 100644 --- a/lib/galaxy/authnz/psa_authnz.py +++ b/lib/galaxy/authnz/psa_authnz.py @@ -299,7 +299,6 @@ class PSAAuthnz(IdentityProvider): if self.config.get("well_known_oidc_config_uri", None) else self._get_well_known_uri_from_url(self.config["provider"]) ) - well_known_oidc_config = None try: well_known_oidc_config = requests.get( well_known_oidc_config_uri, -- GitLab From ff0ca52cbe9ed10b851ad9c34838abb9e64114a9 Mon Sep 17 00:00:00 2001 From: John Duggan Date: Thu, 12 Feb 2026 14:21:09 -0500 Subject: [PATCH 3/4] Try to retrieve access token expiration from id token if not in extra_data --- lib/galaxy/authnz/psa_authnz.py | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/lib/galaxy/authnz/psa_authnz.py b/lib/galaxy/authnz/psa_authnz.py index 052f6970f1..bd65cb3578 100644 --- a/lib/galaxy/authnz/psa_authnz.py +++ b/lib/galaxy/authnz/psa_authnz.py @@ -230,12 +230,20 @@ class PSAAuthnz(IdentityProvider): return False def _try_to_locate_refresh_token_expiration(self, extra_data): - return ( - extra_data.get("expires", None) - or extra_data.get("expires_in", None) - or extra_data["refresh_token"].get("expires", None) - or extra_data["refresh_token"].get("expires_in", None) - ) + try: + # Azure provides the number of seconds to expiration in the extra_data + return ( + extra_data.get("expires", None) + or extra_data.get("expires_in", None) + or extra_data["refresh_token"].get("expires", None) + or extra_data["refresh_token"].get("expires_in", None) + ) + except Exception: + # Keycloak provides an expiration timestamp in the id token + decoded_id_token = jwt.decode( + extra_data["id_token"], options={"verify_signature": False} + ) + return decoded_id_token.get("exp") - decoded_id_token.get("auth_time") def authenticate(self, trans, idphint=None): on_the_fly_config(trans.sa_session) -- GitLab From 123fb3c35d90ef86bd0a00d8a4e08b994bc46f66 Mon Sep 17 00:00:00 2001 From: John Duggan Date: Fri, 13 Feb 2026 13:04:03 -0500 Subject: [PATCH 4/4] Bump version --- .gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b64b992b77..86d3c74e27 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -9,8 +9,8 @@ variables: CONTAINER_GALAXY_URL: "${NDIP_DOCKER_REPOSITORY}/${CI_PROJECT_PATH}" CONTAINER_GALAXY_BASE_URL: "${CONTAINER_GALAXY_URL}/base" CONTAINER_GALAXY_COMMIT_URL: "${CONTAINER_GALAXY_URL}/commit" - GALAXY_VERSION_PYTHON: 25.1.dev1+ornl - GALAXY_VERSION_DOCKER: 25.1.dev1.ornl + GALAXY_VERSION_PYTHON: 25.1.dev2+ornl + GALAXY_VERSION_DOCKER: 25.1.dev2.ornl # This import is for the func_rse_docker_* functions before_script: -- GitLab