Do not try an validate Oauth tokens that are known to be invalid #15890
Labels
customer-reported
Bugs reported by enterprise customers. Only humans may set this.
need-backend
Issues that need backend work
s2
Broken use cases or features (with a workaround). Only humans may set this.
security
Area: security
Comments
|
Moving this as a candidate for the next sprint, as it's related to several tickets. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related to #14982
Problem
At present, every time a request for an external auth token is made,
ValidateTokenis called. If the jwt is not expired, but revoked on the IdP side, then Coder will consistently retry to use the token.This can cause excessive IdP requests, and hit rate limits.
Failed refreshes were fixed such that they are not retried here: #15608
Solution
Do not reuse invalid tokens, caching the invalid error and preventing them from causing duplicate failed requests.
Notes
validate_url? If hit, deleting the external auth link would prevent reuse, or caching the error in the database.The text was updated successfully, but these errors were encountered: