Skip to content

fix(proxy): honor access token cache ttl#3056

Merged
rhafer merged 1 commit into
opencloud-eu:mainfrom
stonith404:fix-oidc-userinfo-cache
Jul 14, 2026
Merged

fix(proxy): honor access token cache ttl#3056
rhafer merged 1 commit into
opencloud-eu:mainfrom
stonith404:fix-oidc-userinfo-cache

Conversation

@stonith404

Copy link
Copy Markdown
Contributor

Description

Pass the configured fallback access token TTL into the OIDC authenticator.

When the proxy cannot derive an expiration from the access token, for example with opaque tokens and PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none, it should use PROXY_OIDC_USERINFO_CACHE_TTL for userinfo cache entries. The option was parsed and passed into the middleware setup, but not copied onto the authenticator, causing cache entries to expire immediately.

This change makes the implementation match the documented fallback behavior.

Related Issue

Motivation and Context

I maintain Pocket ID and ran into this while setting up OpenCloud on my own server. Desktop sync stalled because OpenCloud repeatedly called Pocket ID’s userinfo endpoint until Pocket ID started rate limiting those requests.

The setup uses opaque access tokens with PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none, so OpenCloud cannot derive an expiration from the access token and should fall back to PROXY_OIDC_USERINFO_CACHE_TTL. That fallback TTL was configured, but it was not applied by the OIDC authenticator, causing userinfo cache entries to expire immediately.

How Has This Been Tested?

I have created a custom image with this change, deployed it on my server and I can confirm that the TTL is now correctly respected and Pocket ID doesn't get spammed anymore with userinfo requests.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation added

@codacy-production

codacy-production Bot commented Jul 1, 2026

Copy link
Copy Markdown

Up to standards βœ…

🟒 Issues 0 issues

Results:
0 new issues

View in Codacy

🟒 Metrics -6 duplication

Metric Results
Duplication -6

View in Codacy

🟒 Coverage 100.00% diff coverage · +0.02% coverage variation

Metric Results
Coverage variation βœ… +0.02% coverage variation (-1.00%)
Diff coverage βœ… 100.00% diff coverage

View coverage diff in Codacy

Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (93fb9cb) Report Missing Report Missing Report Missing
Head commit (5457ef8) 82290 (+1) 18974 (+19) 23.06% (+0.02%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#3056) 1 1 100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

1 Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@rhafer rhafer left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stonith404 Thanks a lot for the fix! Good catch.

@rhafer
rhafer merged commit 4734c57 into opencloud-eu:main Jul 14, 2026
64 checks passed
@openclouders openclouders mentioned this pull request Jul 14, 2026
1 task
sdwilsh pushed a commit to sdwilsh/ansible-playbooks that referenced this pull request Jul 15, 2026
##### [\`7.3.0\`](https://github.com/opencloud-eu/opencloud/blob/HEAD/CHANGELOG.md#730---2026-07-14)

##### πŸ› Bug Fixes

- fix(proxy): honor access token cache ttl \[[#3056](opencloud-eu/opencloud#3056)]
- chore(idp): update axios \[[#3094](opencloud-eu/opencloud#3094)]
- fix: make the collaboration service events optional \[[#3001](opencloud-eu/opencloud#3001)]
- Revert "fix: disallow thumbnails for tiff and jpeg2000 images" \[[#2973](opencloud-eu/opencloud#2973)]
- bump reva \[[#2950](opencloud-eu/opencloud#2950)]
- change error level for trashing items interaction with search \[[#2951](opencloud-eu/opencloud#2951)]
- fix: Send SSE events for SpaceEnabled/Disabled to affected users \[[#2871](opencloud-eu/opencloud#2871)]

##### πŸ“š Documentation

- update collaboration readme \[[#3076](opencloud-eu/opencloud#3076)]
- fix: fix typo in proxy service documentation \[[#3089](opencloud-eu/opencloud#3089)]
- roling release template \[[#2972](opencloud-eu/opencloud#2972)]
- enhance: fix typos in webfinger service description \[[#2958](opencloud-eu/opencloud#2958)]

##### βœ… Tests

- \[full-ci] gherkin steps refactoring. cleaning code \[[#3100](opencloud-eu/opencloud#3100)]
- \[decomposed] more cli command tests \[[#3087](opencloud-eu/opencloud#3087)]
- test(apiSpaces): a space admin can delete a space with no manager \[[#3040](opencloud-eu/opencloud#3040)]
- Update tests for [opencloud-eu/reva#655](opencloud-eu/reva#655) \[[#2889](opencloud-eu/opencloud#2889)]
- api-test: deleting space \[[#2970](opencloud-eu/opencloud#2970)]

##### πŸ“ˆ Enhancement

- feat: add disableSponsorLink web config option \[[#3093](opencloud-eu/opencloud#3093)]
- feat(graph): add MS Graph colon-syntax path lookup middleware \[[#2688](opencloud-eu/opencloud#2688)]
- feat: adjust theme chrome colors and logos \[[#2599](opencloud-eu/opencloud#2599)]
- add tls support for all nats connections \[[#2063](opencloud-eu/opencloud#2063)]
- feat: add more roles \[[#2928](opencloud-eu/opencloud#2928)]
- next to main \[[#2924](opencloud-eu/opencloud#2924)]
- feat: add core apps env variable to override the default core apps \[[#2930](opencloud-eu/opencloud#2930)]

##### πŸ“¦οΈ Dependencies

- build(deps): bump golang.org/x/image from 0.43.0 to 0.44.0 \[[#3112](opencloud-eu/opencloud#3112)]
- build(deps): bump golang.org/x/text from 0.39.0 to 0.40.0 \[[#3101](opencloud-eu/opencloud#3101)]
- \[full-ci] chore: bump web to v7.2.0 \[[#3121](opencloud-eu/opencloud#3121)]
- build(deps): bump golang.org/x/term from 0.44.0 to 0.45.0 \[[#3103](opencloud-eu/opencloud#3103)]
- build(deps): bump github.com/coreos/go-oidc/v3 from 3.19.0 to 3.20.0 \[[#3102](opencloud-eu/opencloud#3102)]
- build(deps): bump golang.org/x/text from 0.38.0 to 0.39.0 \[[#3085](opencloud-eu/opencloud#3085)]
- build(deps): bump github.com/go-chi/chi/v5 from 5.3.0 to 5.3.1 \[[#3073](opencloud-eu/opencloud#3073)]
- build(deps): bump github.com/nats-io/nats-server/v2 from 2.14.2 to 2.14.3 \[[#3063](opencloud-eu/opencloud#3063)]
- build(deps): bump github.com/gookit/config/v2 from 2.2.8 to 2.2.9 \[[#3075](opencloud-eu/opencloud#3075)]
- build(deps): bump github.com/open-policy-agent/opa from 1.18.1 to 1.18.2 \[[#3061](opencloud-eu/opencloud#3061)]
- build(deps): bump github.com/kovidgoyal/imaging from 1.8.21 to 1.8.22 \[[#3060](opencloud-eu/opencloud#3060)]
- build(deps): bump github.com/libregraph/lico from 0.66.0 to 0.67.0 \[[#3028](opencloud-eu/opencloud#3028)]
- chore: bump web to v7.2.0-beta.3 \[[#2953](opencloud-eu/opencloud#2953)]
- chore: bump reva to latest main \[[#2943](opencloud-eu/opencloud#2943)]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Token refresh during upload process ["Host requires authentication"]

2 participants