Fix Spurious Logouts (#103)

When restarting your laptop, it need to re-establish wifi, and during that period any refresh token requests will fail as DNS is down. Wrap the initial OIDC service discovery in a retry to attempt to ride out the storm.
unikorn-cloud · Jul 16, 2024 · 3a9d370 · 3a9d370
1 parent c4e96b5
commit 3a9d370
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 8 deletions.
diff --git a/charts/identity/Chart.yaml b/charts/identity/Chart.yaml
@@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.2.26
-appVersion: v0.2.26
+version: v0.2.27
+appVersion: v0.2.27
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
 

diff --git a/go.mod b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	github.com/unikorn-cloud/core v0.1.59
+	github.com/unikorn-cloud/core v0.1.61
 	go.opentelemetry.io/otel v1.28.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0
 	go.opentelemetry.io/otel/sdk v1.28.0

diff --git a/go.sum b/go.sum
@@ -127,8 +127,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-github.com/unikorn-cloud/core v0.1.59 h1:Fow+RmWADvIHcDGnKxeE+m7uJzq2ARJb1/nPA2tY6+o=
-github.com/unikorn-cloud/core v0.1.59/go.mod h1:Cd0zU1LrKo+OwnnCwuTQ+QL3yibnkjDHtkujfDM4AdE=
+github.com/unikorn-cloud/core v0.1.61 h1:mnQ+43wKTsXYHRztiC0ddUS+ZZ2OaIdy5JYjDlaRpg4=
+github.com/unikorn-cloud/core v0.1.61/go.mod h1:Cd0zU1LrKo+OwnnCwuTQ+QL3yibnkjDHtkujfDM4AdE=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

diff --git a/pkg/oauth2/oauth2.go b/pkg/oauth2/oauth2.go
@@ -42,6 +42,7 @@ import (
 	"github.com/unikorn-cloud/core/pkg/authorization/userinfo"
 	coreopenapi "github.com/unikorn-cloud/core/pkg/openapi"
 	"github.com/unikorn-cloud/core/pkg/server/errors"
+	"github.com/unikorn-cloud/core/pkg/util/retry"
 	unikornv1 "github.com/unikorn-cloud/identity/pkg/apis/unikorn/v1alpha1"
 	"github.com/unikorn-cloud/identity/pkg/jose"
 	"github.com/unikorn-cloud/identity/pkg/oauth2/providers"
@@ -964,9 +965,29 @@ func (a *Authenticator) Token(w http.ResponseWriter, r *http.Request) (*openapi.
 			return nil, err
 		}
 
-		provider, err := newOIDCProvider(r.Context(), providerResource)
-		if err != nil {
-			return nil, err
+		// Quality of life improvement, when you are a road-warrior, you are going
+		// to get an expired access token almost immediately, and a token refresh
+		// well before Wifi comes up, so allow retries while DNS errors are
+		// occurring, within reason.
+		var provider *oidc.Provider
+
+		//nolint:contextcheck
+		callback := func() error {
+			t, err := newOIDCProvider(r.Context(), providerResource)
+			if err != nil {
+				return err
+			}
+
+			provider = t
+
+			return nil
+		}
+
+		retryContext, cancel := context.WithTimeout(r.Context(), 30*time.Second)
+		defer cancel()
+
+		if err := retry.Forever().DoWithContext(retryContext, callback); err != nil {
+			return nil, errors.OAuth2ServerError("failed to perform provider discovery").WithError(err)
 		}
 
 		refreshToken := &oauth2.Token{