[PR #5173] [CLOSED] auth/oidc: cache OIDC access token and refresh before expiry #5154

New issue

Closed

opened 2026-05-05 14:55:45 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:55:45 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5173
Author: @shani1998
Created: 2/11/2026
Status: ❌ Closed

Base: dev ← Head: fix/oidc-token-caching

📝 Commits (1)

aac0cbb auth/oidc: cache access token to avoid redundant requests on each heartbeat

📊 Changes

2 files changed (+60 additions, -14 deletions)

View changed files

📝 pkg/auth/oidc.go (+14 -14)
📝 pkg/auth/oidc_test.go (+46 -0)

📄 Description

WHY

When auth.additionalScopes includes HeartBeats, every heartbeat calls
clientcredentials.Config.Token(ctx) which creates a new oauth2.ReuseTokenSource
on each invocation — the token is never actually reused between calls. This causes
a redundant HTTP request to the OIDC token endpoint on every heartbeat interval.

Changes

Use Config.TokenSource(ctx) once at init to create a persistent oauth2.TokenSource
that caches the token and only refreshes when it approaches expiry
Wrap with oauth2.ReuseTokenSourceWithExpiry for a configurable early-refresh buffer
Add tokenRefreshAdvanceDuration config option (default: 300s) to control how
early before expiry the token is refreshed
Add unit test with mock HTTP server verifying token is fetched only once across
multiple login and ping calls

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5173 **Author:** [@shani1998](https://github.com/shani1998) **Created:** 2/11/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/oidc-token-caching` --- ### 📝 Commits (1) - [`aac0cbb`](https://github.com/fatedier/frp/commit/aac0cbbc5b884da1fe3ea8243512174ce6fe18d2) auth/oidc: cache access token to avoid redundant requests on each heartbeat ### 📊 Changes **2 files changed** (+60 additions, -14 deletions) <details> <summary>View changed files</summary> 📝 `pkg/auth/oidc.go` (+14 -14) 📝 `pkg/auth/oidc_test.go` (+46 -0) </details> ### 📄 Description ### WHY When `auth.additionalScopes` includes `HeartBeats`, every heartbeat calls `clientcredentials.Config.Token(ctx)` which creates a new `oauth2.ReuseTokenSource` on each invocation — the token is never actually reused between calls. This causes a redundant HTTP request to the OIDC token endpoint on every heartbeat interval. ### Changes - Use `Config.TokenSource(ctx)` once at init to create a persistent `oauth2.TokenSource` that caches the token and only refreshes when it approaches expiry - Wrap with `oauth2.ReuseTokenSourceWithExpiry` for a configurable early-refresh buffer - Add `tokenRefreshAdvanceDuration` config option (default: 300s) to control how early before expiry the token is refreshed - Add unit test with mock HTTP server verifying token is fetched only once across multiple login and ping calls --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>