Skip to content

Fix OIDC metadata caching: simple periodic refresh approach#981

Closed
lovasoa wants to merge 1 commit into
mainfrom
simple-oidc-refresh
Closed

Fix OIDC metadata caching: simple periodic refresh approach#981
lovasoa wants to merge 1 commit into
mainfrom
simple-oidc-refresh

Conversation

@lovasoa

@lovasoa lovasoa commented Jul 30, 2025

Copy link
Copy Markdown
Collaborator
  • Add RwLock wrapper around OidcClient for atomic updates
  • Spawn background task that refreshes provider metadata every 6 hours
  • Replace entire client atomically when new metadata is available
  • Use blocking reads for client access (fast, simple)
  • Log refresh attempts and failures for operational visibility

This fixes the key rotation vulnerability where OIDC provider metadata was fetched only once at startup. The solution is explicit, minimal, and much simpler than complex on-demand caching approaches.

Changes: ~77 lines vs 450+ in previous complex implementation

@cursoragent
Fix OIDC metadata caching: simple periodic refresh approach
4301af2 
- Add RwLock wrapper around OidcClient for atomic updates
- Spawn background task that refreshes provider metadata every 6 hours
- Replace entire client atomically when new metadata is available
- Use blocking reads for client access (fast, simple)
- Log refresh attempts and failures for operational visibility

This fixes the key rotation vulnerability where OIDC provider metadata
was fetched only once at startup. The solution is explicit, minimal,
and much simpler than complex on-demand caching approaches.

Changes: ~77 lines vs 450+ in previous complex implementation
@lovasoa lovasoa closed this Jul 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lovasoa @cursoragent