Skip to content

feat(auth): auto-refresh OIDC tokens on session loss#1

Merged
gummigudm merged 4 commits into
mainfrom
feat/oidc-token-auto-refresh
Jun 26, 2026
Merged

feat(auth): auto-refresh OIDC tokens on session loss#1
gummigudm merged 4 commits into
mainfrom
feat/oidc-token-auto-refresh

Conversation

@gummigudm

Copy link
Copy Markdown
Collaborator

Summary

  • When the OIDC JWT strategy finds no usable id_token but a refreshToken cookie exists, transparently refresh tokens from the IdP and repopulate the session. Addresses deployment-restart scenarios where the MemoryStore is wiped while the browser still holds a valid Bearer token.
  • Removes 26 upstream CI workflows irrelevant to this fork (publishing, deployments, Helm, i18n sync, GitNexus, etc.) — keeping only backend tests, ESLint, frontend tests, and Docker smoke.

Test plan

  • 11 new refreshOpenIDTokensFromCookie helper tests pass (dedup, success/failure paths, edge cases)
  • 4 new strategy-level tests pass (refresh on empty session, 401 on failure, no-op when tokens present)
  • Verify backend-review workflow passes in CI
  • Manual test: restart server with active OIDC session, confirm token refresh is transparent

🤖 Generated with Claude Code

gummigudm and others added 4 commits June 25, 2026 13:13
When the OIDC JWT strategy finds no usable id_token (missing from both the
session and the openid_id_token cookie) but a refreshToken cookie exists,
transparently call the IdP's refresh-token endpoint, repopulate the session,
and continue the request. This addresses deployment-restart scenarios where
the MemoryStore is wiped while the browser still holds a valid Bearer token.

- Add refreshOpenIDTokensFromCookie helper in AuthService.js with dedup map
- Wire helper into openIdJwtStrategy.js with fail-closed behavior
- Add 11 helper tests and 4 strategy tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Keep only the workflows that validate fork-specific changes on PRs:
- backend-review.yml (jest unit tests for api/packages)
- eslint-ci.yml (lint changed files)
- frontend-review.yml (jest unit tests for client)
- docker-smoke.yml (verify Docker build still works)

Removed: npm publishing, Docker registry pushes, Helm charts, i18n sync,
GitNexus indexing, deployments, accessibility, Playwright E2E, and other
upstream-only concerns. A custom registry push workflow will be added later.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Build and push container image to Azure Container Registry on merge to
main or manual dispatch. Uses OIDC federation for auth with identifiers
stored as repo variables (AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_SUBSCRIPTION_ID, ACR_NAME).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All PR test workflows now require the "test" label to be present before
running. This prevents unnecessary CI spend on PRs that aren't ready for
testing. Add the label when you want checks to run.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gummigudm gummigudm merged commit 72c56e0 into main Jun 26, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants