Merge pull request #2300 from flant/do-not-update-offline-session-las…

…t-time fix: do not update offlinesession lastUsed field if refresh token was not updated
dexidp · Oct 21, 2021 · 84b2417 · 84b2417
2 parents 18311aa + 9fad060
commit 84b2417
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/server/refreshhandlers.go b/server/refreshhandlers.go
@@ -227,16 +227,13 @@ func (s *Server) updateRefreshToken(token *internal.RefreshToken, refresh *stora
 
 	lastUsed := s.now()
 
-	rerr := s.updateOfflineSession(refresh, ident, lastUsed)
-	if rerr != nil {
-		return nil, rerr
-	}
-
 	refreshTokenUpdater := func(old storage.RefreshToken) (storage.RefreshToken, error) {
 		if s.refreshTokenPolicy.RotationEnabled() {
 			if old.Token != token.Token {
 				if s.refreshTokenPolicy.AllowedToReuse(old.LastUsed) && old.ObsoleteToken == token.Token {
 					newToken.Token = old.Token
+					// Do not update last used time for offline session if token is allowed to be reused
+					lastUsed = old.LastUsed
 					return old, nil
 				}
 				return old, errors.New("refresh token claimed twice")
@@ -268,6 +265,11 @@ func (s *Server) updateRefreshToken(token *internal.RefreshToken, refresh *stora
 		return nil, newInternalServerError()
 	}
 
+	rerr := s.updateOfflineSession(refresh, ident, lastUsed)
+	if rerr != nil {
+		return nil, rerr
+	}
+
 	return newToken, nil
 }
 

diff --git a/storage/kubernetes/storage.go b/storage/kubernetes/storage.go
@@ -740,13 +740,14 @@ func retryOnConflict(ctx context.Context, action func() error) error {
 	for {
 		select {
 		case <-time.After(getNextStep()):
-			if err := action(); err == nil || !isKubernetesAPIConflictError(err) {
+			err := action()
+			if err == nil || !isKubernetesAPIConflictError(err) {
 				return err
 			}
 
 			attempts++
 			if attempts >= 4 {
-				return errors.New("maximum timeout reached while retrying a conflicted request")
+				return fmt.Errorf("maximum timeout reached while retrying a conflicted request: %w", err)
 			}
 		case <-ctx.Done():
 			return errors.New("canceled")

diff --git a/storage/kubernetes/storage_test.go b/storage/kubernetes/storage_test.go
@@ -262,7 +262,7 @@ func TestRetryOnConflict(t *testing.T) {
 		{
 			"Timeout reached",
 			func() error { err := httpErr{status: 409}; return error(&err) },
-			"maximum timeout reached while retrying a conflicted request",
+			"maximum timeout reached while retrying a conflicted request:   Conflict: response from server \"\"",
 		},
 		{
 			"HTTP Error",