[PR #5175] [MERGED] auth/oidc: cache OIDC access token and refresh before expiry #5157

New issue

Closed

opened 2026-05-05 14:55:46 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented 2026-05-05 14:55:46 -06:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5175
Author: @shani1998
Created: 2/12/2026
Status: ✅ Merged
Merged: 3/11/2026
Merged by: @fatedier

Base: dev ← Head: oidc-token-caching-on-heatbeat-enable-1

---

📝 Commits (6)

• 8d1c350 auth/oidc: cache OIDC access token and refresh before expiry
• a759168 address review comments
• 71cdcc5 Merge branch 'dev' of github.com:fatedier/frp into oidc-token-caching-on-heatbeat-enable-1
• fb75efb auth/oidc: fallback to per-request token fetch when expires_in is missing
• a1106f2 auth/oidc: fix gosec lint and add test for zero-expiry fallback
• 9ecf5ac fix lint

📊 Changes

2 files changed (+131 additions, -14 deletions)

View changed files

📝 pkg/auth/oidc.go (+40 -14)
📝 pkg/auth/oidc_test.go (+91 -0)

📄 Description

WHY --> Feature Request

When auth.additionalScopes includes HeartBeats, every heartbeat calls
clientcredentials.Config.Token(ctx) which creates a new oauth2.ReuseTokenSource
on each invocation — the token is never actually reused between calls. This causes
a redundant HTTP request to the OIDC token endpoint on every heartbeat interval.

Changes

• Use Config.TokenSource(ctx) once at init to create a persistent oauth2.TokenSource
  that caches the token and only refreshes when it approaches expiry
• Wrap with oauth2.ReuseTokenSourceWithExpiry for a configurable early-refresh buffer
• Add tokenRefreshAdvanceDuration config option (default: 300s) to control how
  early before expiry the token is refreshed
• Add unit test with mock HTTP server verifying token is fetched only once across
  multiple login and ping calls

Client Config

[auth]
method = "oidc"
additionalScopes = ["HeartBeats"]

[auth.oidc]
clientID = "my-client"
clientSecret = "my-secret"
tokenEndpointURL = "https://idp.example.com/oauth/token"
# Optional: seconds before token expiry to refresh (default: 300)
# tokenRefreshAdvanceDuration = 300

[[proxies]]
name = "my-proxy"
type = "https"
...

Test plan

• Added TestOidcAuthProviderCachesToken with mock HTTP server proving only 1 token request is made across login + 5 pings
• All existing auth tests pass (go test ./pkg/auth/...)
• go vet ./pkg/auth/... clean
• go build compiles cleanly
• Manual testing with OIDC provider and auth.additionalScopes = ["HeartBeats"] — verified token is reused across heartbeats and refreshed only near expiry

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5175 **Author:** [@shani1998](https://github.com/shani1998) **Created:** 2/12/2026 **Status:** ✅ Merged **Merged:** 3/11/2026 **Merged by:** [@fatedier](https://github.com/fatedier) **Base:** `dev` ← **Head:** `oidc-token-caching-on-heatbeat-enable-1` --- ### 📝 Commits (6) - [`8d1c350`](https://github.com/fatedier/frp/commit/8d1c3509211fe24748288ec515633aa3e765f766) auth/oidc: cache OIDC access token and refresh before expiry - [`a759168`](https://github.com/fatedier/frp/commit/a759168ac34a261c75702eabb6fbe27ad0328504) address review comments - [`71cdcc5`](https://github.com/fatedier/frp/commit/71cdcc5aecb85a50de65d8ab56f4b8380b1a2b5c) Merge branch 'dev' of github.com:fatedier/frp into oidc-token-caching-on-heatbeat-enable-1 - [`fb75efb`](https://github.com/fatedier/frp/commit/fb75efb97b49a034aecffdafaaabf7d557535bd1) auth/oidc: fallback to per-request token fetch when expires_in is missing - [`a1106f2`](https://github.com/fatedier/frp/commit/a1106f282e484a7250d41e5e57b0ff7632f1cd37) auth/oidc: fix gosec lint and add test for zero-expiry fallback - [`9ecf5ac`](https://github.com/fatedier/frp/commit/9ecf5ac364ad9d991315f99728e33db587a47efd) fix lint ### 📊 Changes **2 files changed** (+131 additions, -14 deletions) <details> <summary>View changed files</summary> 📝 `pkg/auth/oidc.go` (+40 -14) 📝 `pkg/auth/oidc_test.go` (+91 -0) </details> ### 📄 Description ### WHY --> [Feature Request](https://github.com/fatedier/frp/issues/5185) When `auth.additionalScopes` includes `HeartBeats`, every heartbeat calls `clientcredentials.Config.Token(ctx)` which creates a new `oauth2.ReuseTokenSource` on each invocation — the token is never actually reused between calls. This causes a redundant HTTP request to the OIDC token endpoint on every heartbeat interval. ### Changes - Use `Config.TokenSource(ctx)` once at init to create a persistent `oauth2.TokenSource` that caches the token and only refreshes when it approaches expiry - Wrap with `oauth2.ReuseTokenSourceWithExpiry` for a configurable early-refresh buffer - Add `tokenRefreshAdvanceDuration` config option (default: 300s) to control how early before expiry the token is refreshed - Add unit test with mock HTTP server verifying token is fetched only once across multiple login and ping calls Client Config ``` [auth] method = "oidc" additionalScopes = ["HeartBeats"] [auth.oidc] clientID = "my-client" clientSecret = "my-secret" tokenEndpointURL = "https://idp.example.com/oauth/token" # Optional: seconds before token expiry to refresh (default: 300) # tokenRefreshAdvanceDuration = 300 [[proxies]] name = "my-proxy" type = "https" ... ``` ## Test plan - [x] Added `TestOidcAuthProviderCachesToken` with mock HTTP server proving only 1 token request is made across login + 5 pings - [x] All existing auth tests pass (`go test ./pkg/auth/...`) - [x] `go vet ./pkg/auth/...` clean - [x] `go build` compiles cleanly - [x] Manual testing with OIDC provider and `auth.additionalScopes = ["HeartBeats"]` — verified token is reused across heartbeats and refreshed only near expiry --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

gitea-mirror 2026-05-05 14:55:46 -06:00

• closed this issue
• added the
  pull-request
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#5157

No description provided.