github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 16:15:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #5185] [Feature Request] Cache OIDC access token and refresh before expiry #4051

New issue
Closed
opened 2026-05-05 14:34:06 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 14:34:06 -06:00
Owner
Copy link

Originally created by @shani1998 on GitHub (Feb 25, 2026).
Original GitHub issue: https://github.com/fatedier/frp/issues/5185

Originally assigned to: @blizard863 on GitHub.

Describe the feature request

Current Behavior:
In the current OIDC implementation for frpc, a new access token is requested from the OIDC provider for every authentication event. This creates significant overhead during:

  1. Heartbeat Pings: frpc and frps frequently exchange pings to keep the connection alive. Fetching a new token for every validation cycle increases latency.
  2. Reconnections: On unstable networks, frequent OIDC handshakes can lead to rate-limiting or service denial from the OIDC provider.

Proposed Feature:
Implement a caching and proactive refresh mechanism for OIDC tokens within frpc to improve performance and reliability.

Key Components of the Proposal:

  1. Token Caching: Store the access token in memory and reuse it for subsequent heartbeats and proxy registrations until it is near expiry.
  2. Customizable Refresh Buffer: Introduce a new configuration parameter: tokenRefreshAdvanceDuration.
    • Default: 300 seconds (5 minutes).
    • Function: This defines how many seconds before actual token expiry frpc should proactively fetch a new token.
  3. Proactive Refresh: Ensure frpc always has a valid token ready before the next heartbeat, preventing connection drops due to expired credentials during transit.

This change reduces the load on OIDC providers and ensures that frpc remains connected even if the OIDC provider has temporary high latency.

I have already drafted this implementation in PR #5175 and would love to discuss the configuration logic here.

Describe alternatives you've considered

The current "fetch-on-demand" approach is the only alternative, but it is inefficient for users with high-frequency heartbeats or strict OIDC rate limits.

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @shani1998 on GitHub (Feb 25, 2026). Original GitHub issue: https://github.com/fatedier/frp/issues/5185 Originally assigned to: @blizard863 on GitHub. ### Describe the feature request **Current Behavior:** In the current OIDC implementation for `frpc`, a new access token is requested from the OIDC provider for every authentication event. This creates significant overhead during: 1. **Heartbeat Pings:** `frpc` and `frps` frequently exchange pings to keep the connection alive. Fetching a new token for every validation cycle increases latency. 2. **Reconnections:** On unstable networks, frequent OIDC handshakes can lead to rate-limiting or service denial from the OIDC provider. **Proposed Feature:** Implement a caching and proactive refresh mechanism for OIDC tokens within `frpc` to improve performance and reliability. **Key Components of the Proposal:** 1. **Token Caching:** Store the access token in memory and reuse it for subsequent heartbeats and proxy registrations until it is near expiry. 2. **Customizable Refresh Buffer:** Introduce a new configuration parameter: `tokenRefreshAdvanceDuration`. * **Default:** `300` seconds (5 minutes). * **Function:** This defines how many seconds *before* actual token expiry `frpc` should proactively fetch a new token. 3. **Proactive Refresh:** Ensure `frpc` always has a valid token ready before the next heartbeat, preventing connection drops due to expired credentials during transit. This change reduces the load on OIDC providers and ensures that `frpc` remains connected even if the OIDC provider has temporary high latency. *I have already drafted this implementation in PR #5175 and would love to discuss the configuration logic here.* ### Describe alternatives you've considered The current "fetch-on-demand" approach is the only alternative, but it is inefficient for users with high-frequency heartbeats or strict OIDC rate limits. ### Affected area - [ ] Docs - [ ] Installation - [x] Performance and Scalability - [x] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [x] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others
gitea-mirror 2026-05-05 14:34:06 -06:00
  • closed this issue
  • added the
    proposal
         label
gitea-mirror commented 2026-05-05 14:34:09 -06:00
Author
Owner
Copy link

@blizard863 commented on GitHub (Feb 26, 2026):

Thanks for the contribution! The caching idea is solid and addresses a real problem. A few suggestions before merging:

  1. Remove tokenRefreshAdvanceDuration config option
    We should avoid introducing new user-facing configuration unless absolutely necessary. Every new field adds cognitive overhead for users. In practice, no mainstream OAuth2 SDK asks users to configure refresh timing — it's handled internally.

  2. Use expires_in from the token response to drive refresh
    The token endpoint response already includes expires_in, so we have everything needed to determine when to refresh. The caching and proactive refresh logic should be fully automatic — users get the optimization by default without needing to understand OAuth2 token lifecycle.

  3. Keep backward compatibility transparent
    With automatic refresh, the behavior change is purely an internal optimization. Existing users benefit automatically without any config migration, and the external API surface remains unchanged.

<!-- gh-comment-id:3964345884 --> @blizard863 commented on GitHub (Feb 26, 2026): Thanks for the contribution! The caching idea is solid and addresses a real problem. A few suggestions before merging: 1. Remove tokenRefreshAdvanceDuration config option We should avoid introducing new user-facing configuration unless absolutely necessary. Every new field adds cognitive overhead for users. In practice, no mainstream OAuth2 SDK asks users to configure refresh timing — it's handled internally. 2. Use expires_in from the token response to drive refresh The token endpoint response already includes expires_in, so we have everything needed to determine when to refresh. The caching and proactive refresh logic should be fully automatic — users get the optimization by default without needing to understand OAuth2 token lifecycle. 3. Keep backward compatibility transparent With automatic refresh, the behavior change is purely an internal optimization. Existing users benefit automatically without any config migration, and the external API surface remains unchanged.
gitea-mirror commented 2026-05-05 14:34:10 -06:00
Author
Owner
Copy link

@shani1998 commented on GitHub (Feb 28, 2026):

Thanks for the contribution! The caching idea is solid and addresses a real problem. A few suggestions before merging:

  1. Remove tokenRefreshAdvanceDuration config option
    We should avoid introducing new user-facing configuration unless absolutely necessary. Every new field adds cognitive overhead for users. In practice, no mainstream OAuth2 SDK asks users to configure refresh timing — it's handled internally.
  2. Use expires_in from the token response to drive refresh
    The token endpoint response already includes expires_in, so we have everything needed to determine when to refresh. The caching and proactive refresh logic should be fully automatic — users get the optimization by default without needing to understand OAuth2 token lifecycle.
  3. Keep backward compatibility transparent
    With automatic refresh, the behavior change is purely an internal optimization. Existing users benefit automatically without any config migration, and the external API surface remains unchanged.

Thanks for making time to review the proposal. The suggestions make sense to me. I’ve updated the code to rely on the OAuth2 SDK and to use expires_in with the default 10-second delta.https://cs.opensource.google/go/x/oauth2/+/master:token.go

<!-- gh-comment-id:3976266115 --> @shani1998 commented on GitHub (Feb 28, 2026): > Thanks for the contribution! The caching idea is solid and addresses a real problem. A few suggestions before merging: > > 1. Remove tokenRefreshAdvanceDuration config option > We should avoid introducing new user-facing configuration unless absolutely necessary. Every new field adds cognitive overhead for users. In practice, no mainstream OAuth2 SDK asks users to configure refresh timing — it's handled internally. > 2. Use expires_in from the token response to drive refresh > The token endpoint response already includes expires_in, so we have everything needed to determine when to refresh. The caching and proactive refresh logic should be fully automatic — users get the optimization by default without needing to understand OAuth2 token lifecycle. > 3. Keep backward compatibility transparent > With automatic refresh, the behavior change is purely an internal optimization. Existing users benefit automatically without any config migration, and the external API surface remains unchanged. Thanks for making time to review the proposal. The suggestions make sense to me. I’ve updated the code to rely on the OAuth2 SDK and to use expires_in with the default 10-second delta.https://cs.opensource.google/go/x/oauth2/+/master:token.go
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#4051
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?