From 50ab35b8efe921a708ee688b4936dfcf032ee23d Mon Sep 17 00:00:00 2001
From: "Duggan, John" <dugganjw@ornl.gov>
Date: Fri, 13 Feb 2026 21:56:48 +0000
Subject: [PATCH] Fix NameError in custos_authnz.py

---
 .gitlab-ci.yml                     |  4 ++--
 lib/galaxy/authnz/custos_authnz.py |  3 +--
 lib/galaxy/authnz/psa_authnz.py    | 21 ++++++++++++++-------
 3 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b64b992b77..86d3c74e27 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,8 +9,8 @@ variables:
   CONTAINER_GALAXY_URL: "${NDIP_DOCKER_REPOSITORY}/${CI_PROJECT_PATH}"
   CONTAINER_GALAXY_BASE_URL: "${CONTAINER_GALAXY_URL}/base"
   CONTAINER_GALAXY_COMMIT_URL: "${CONTAINER_GALAXY_URL}/commit"
-  GALAXY_VERSION_PYTHON: 25.1.dev1+ornl
-  GALAXY_VERSION_DOCKER: 25.1.dev1.ornl
+  GALAXY_VERSION_PYTHON: 25.1.dev2+ornl
+  GALAXY_VERSION_DOCKER: 25.1.dev2.ornl
 
 # This import is for the func_rse_docker_* functions
 before_script:
diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py
index 977f734f35..ecf8488da3 100644
--- a/lib/galaxy/authnz/custos_authnz.py
+++ b/lib/galaxy/authnz/custos_authnz.py
@@ -168,8 +168,7 @@ class OIDCAuthnzBase(IdentityProvider):
         custos_authnz_token.refresh_expiration_time = processed_token["refresh_expiration_time"]
 
         sa_session.add(custos_authnz_token)
-        with transaction(sa_session):
-            sa_session.commit()
+        sa_session.commit()
 
         log.debug(
             f"Refreshed user token for {custos_authnz_token.external_user_id} via `{custos_authnz_token.provider}` identity provider"
diff --git a/lib/galaxy/authnz/psa_authnz.py b/lib/galaxy/authnz/psa_authnz.py
index 37046f064f..bd65cb3578 100644
--- a/lib/galaxy/authnz/psa_authnz.py
+++ b/lib/galaxy/authnz/psa_authnz.py
@@ -230,12 +230,20 @@ class PSAAuthnz(IdentityProvider):
         return False
 
     def _try_to_locate_refresh_token_expiration(self, extra_data):
-        return (
-            extra_data.get("expires", None)
-            or extra_data.get("expires_in", None)
-            or extra_data["refresh_token"].get("expires", None)
-            or extra_data["refresh_token"].get("expires_in", None)
-        )
+        try:
+            # Azure provides the number of seconds to expiration in the extra_data
+            return (
+                extra_data.get("expires", None)
+                or extra_data.get("expires_in", None)
+                or extra_data["refresh_token"].get("expires", None)
+                or extra_data["refresh_token"].get("expires_in", None)
+            )
+        except Exception:
+            # Keycloak provides an expiration timestamp in the id token
+            decoded_id_token = jwt.decode(
+                extra_data["id_token"], options={"verify_signature": False}
+            )
+            return decoded_id_token.get("exp") - decoded_id_token.get("auth_time")
 
     def authenticate(self, trans, idphint=None):
         on_the_fly_config(trans.sa_session)
@@ -299,7 +307,6 @@ class PSAAuthnz(IdentityProvider):
             if self.config.get("well_known_oidc_config_uri", None)
             else self._get_well_known_uri_from_url(self.config["provider"])
         )
-        well_known_oidc_config = None
         try:
             well_known_oidc_config = requests.get(
                 well_known_oidc_config_uri,
-- 
GitLab