-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce refresh token clean-up #130
Conversation
Also do not try to refresh if the access token is still valid
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good ! @valtri can you give it a try on the testing installation?
There is some unrelated problem in JWT wrapper with oauthenticator 16.3.0 (from the older changes):
But it works with the oauthenticator 16.1.0. |
Fixed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
Summary
Remove the stale user info whenever the refresh process fails so the user is forced to authenticate again from scratch. This will force obtaining a new refresh token, before the broken token would remain unchanged when loggin in via JWT.
Also check the validity of the access token so the refresh does not need to happen if the user has a valid token in place.
Related issue :