[PR #5174] [CLOSED] auth/oidc: cache access token to avoid redundant requests on each hea… #5156

New issue

Closed

opened 2026-05-05 14:55:46 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:55:46 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5174
Author: @shani1998
Created: 2/12/2026
Status: ❌ Closed

Base: dev ← Head: oidc-token-caching-on-heatbeat-enable

📝 Commits (1)

aac0cbb auth/oidc: cache access token to avoid redundant requests on each heartbeat

📊 Changes

2 files changed (+60 additions, -14 deletions)

View changed files

📝 pkg/auth/oidc.go (+14 -14)
📝 pkg/auth/oidc_test.go (+46 -0)

📄 Description

Summary

Issue: When AuthScopeHeartBeats is enabled, every heartbeat ping (every ~30s) calls generateAccessToken() which calls clientcredentials.Config.Token(ctx). This method creates a new ReuseTokenSource(nil, ...) on every call — since it starts with nil, it always makes a fresh HTTP request to the OIDC token endpoint. Tokens are never reused despite typically being valid for minutes to hours.

Fix: Call Config.TokenSource(ctx) once during initialization and store the returned oauth2.TokenSource. This ReuseTokenSource caches the token internally and only fetches a new one when the current token expires (with a 10s early-refresh buffer).

Client Config

[auth]
method = "oidc"
additionalScopes = ["HeartBeats"]

[auth.oidc]
clientID = "my-client"
clientSecret = "my-secret"
tokenEndpointURL = "https://idp.example.com/oauth/token"
audience = "my-api"
scope = "openid"

[[proxies]]
name = "my-proxy"
type = "https"
...

Test plan

Added TestOidcAuthProviderCachesToken with mock HTTP server proving only 1 token request is made across login + 5 pings
All existing auth tests pass
go vet ./pkg/auth/... clean

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5174 **Author:** [@shani1998](https://github.com/shani1998) **Created:** 2/12/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `oidc-token-caching-on-heatbeat-enable` --- ### 📝 Commits (1) - [`aac0cbb`](https://github.com/fatedier/frp/commit/aac0cbbc5b884da1fe3ea8243512174ce6fe18d2) auth/oidc: cache access token to avoid redundant requests on each heartbeat ### 📊 Changes **2 files changed** (+60 additions, -14 deletions) <details> <summary>View changed files</summary> 📝 `pkg/auth/oidc.go` (+14 -14) 📝 `pkg/auth/oidc_test.go` (+46 -0) </details> ### 📄 Description ## Summary **Issue**: When `AuthScopeHeartBeats` is enabled, every heartbeat ping (every ~30s) calls `generateAccessToken()` which calls `clientcredentials.Config.Token(ctx)`. This method creates a new ReuseTokenSource(nil, ...) on every call — since it starts with nil, it always makes a fresh HTTP request to the OIDC token endpoint. Tokens are never reused despite typically being valid for minutes to hours. **Fix**: Call `Config.TokenSource(ctx)` once during initialization and store the returned `oauth2.TokenSource`. This ReuseTokenSource caches the token internally and only fetches a new one when the current token expires (with a 10s early-refresh buffer). Client Config ``` [auth] method = "oidc" additionalScopes = ["HeartBeats"] [auth.oidc] clientID = "my-client" clientSecret = "my-secret" tokenEndpointURL = "https://idp.example.com/oauth/token" audience = "my-api" scope = "openid" [[proxies]] name = "my-proxy" type = "https" ... ``` ## Test plan - [x] Added `TestOidcAuthProviderCachesToken` with mock HTTP server proving only 1 token request is made across login + 5 pings - [x] All existing auth tests pass - [x] `go vet ./pkg/auth/...` clean --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>