Bug #22228
open
Report the correct upstream expires_at value for cached remote ApiClientAuthorizations
Description
Steps to reproduce:
- Log into Workbench on a Curii cluster.
- User menu→Get API token
- Note the token expires in 14 days, per cluster configuration.
- Close the dialog.
- User menu→Get API token
Expected behavior: The token still expires in 14 days.
Actual behavior: The dialog reports that the token expires in 5 minutes. This is apparently a Workbench display bug: fetching the API token with another client still reports the expected This behavior appears across clients. You can replace step 5 with expires_at.arv api_client_authorization current (using the token you got in step 2) and see a 5-minute expiry there too.
Proposed solution:
Add an internal column called refresh_at which determines when the token expires or must be refreshed. It is set to the earlier of expires_at or now + token refresh time (only if the token is federated).
Token validation only checks this new column.
This way, expires_at reflects the upstream value, but the actual API server behavior is what we want.
Updated by Peter Amstutz 5 months ago
This inconsistency might be due to federation. The token is only valid on the satellite cluster for a certain amount of time (which I think defaults to 5m) before in needs to be re-validated. To get the true expiration time requires contacting the upstream cluster. It seems like controller isn't doing that, and neither is workbench.
Updated by Peter Amstutz 3 months ago
- Target version set to Development 2025-01-29
Updated by Peter Amstutz 2 months ago
- Target version changed from Development 2025-01-29 to Development 2025-02-12
Updated by Peter Amstutz about 2 months ago
- Target version changed from Development 2025-02-12 to Development 2025-02-26
Updated by Peter Amstutz 27 days ago
- Target version changed from Development 2025-02-26 to Development 2025-03-19
Updated by Peter Amstutz 13 days ago
- Category changed from Workbench2 to API
- Description updated (diff)
Updated by Brett Smith 6 days ago
- Target version changed from Development 2025-03-19 to Development 2025-02-26
Updated by Brett Smith 6 days ago
- Target version changed from Development 2025-02-26 to Development 2025-03-19
Updated by Brett Smith 5 days ago
- Subject changed from Viewing API token a second time reports it expires in 5 minutes to Report the correct upstream expires_at value for cached remote ApiClientAuthorizations
Updated by Brett Smith 5 days ago
Note that the Rails upgrade in progress on #22608 touches some of this code so there's a risk of merge conflicts if both are in development at once.
Updated by 
Updated by