fix(storage/ent): retry refresh token update on serialization failures

Mirror the SQL backend fix in the ent storage. UpdateRefreshToken runs
in a SERIALIZABLE transaction and aborts with a serialization failure
under concurrent rotation of the same token, surfacing as HTTP 500.

Wrap the refresh-token update in a bounded, jittered retry that re-runs
the transaction on transient serialization/deadlock failures, detected
per-driver (Postgres 40001/40P01, MySQL 1213/1205) via errors.As over
the ent-wrapped driver error.

Enables the previously-disabled refresh-token concurrency conformance
tests for Postgres, MySQL and MySQL 8.

Signed-off-by: Ronan <ronanpalmeiras@gmail.com>

refactor(storage): extract shared SQL retry policy into sqlretry

refactor(storage): extract shared SQL retry policy into sqlretry

Signed-off-by: Ronan <ronanpalmeiras@gmail.com>

Author: RonnanSouza

storage/ent/client/refreshtoken.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/dexidp/dex/storage"
+	"github.com/dexidp/dex/storage/sqlretry"
 )
 
 // CreateRefresh saves provided refresh token into the database.
@@ -66,7 +67,20 @@ func (d *Database) DeleteRefresh(ctx context.Context, id string) error {
 }
 
 // UpdateRefreshToken changes a refresh token by id using an updater function and saves it to the database.
+//
+// The update runs in a SERIALIZABLE transaction; under concurrent refresh-token
+// rotation of the same token the database aborts conflicting transactions with a
+// serialization failure. Retry the whole transaction on those transient errors
+// so concurrent refreshes succeed instead of surfacing as 500s.
 func (d *Database) UpdateRefreshToken(ctx context.Context, id string, updater func(old storage.RefreshToken) (storage.RefreshToken, error)) error {
+	return sqlretry.Do(
+		func() error { return d.updateRefreshTokenOnce(ctx, id, updater) },
+		sqlretry.IsSerializationFailure,
+		nil,
+	)
+}
+
+func (d *Database) updateRefreshTokenOnce(ctx context.Context, id string, updater func(old storage.RefreshToken) (storage.RefreshToken, error)) error {
 	tx, err := d.BeginTx(ctx)
 	if err != nil {
 		return convertDBError("update refresh token tx: %w", err)

storage/ent/mysql_test.go

@@ -105,11 +105,7 @@ func TestMySQL(t *testing.T) {
 	}
 	conformance.RunTests(t, newStorage)
 	conformance.RunTransactionTests(t, newStorage)
-
-	// TODO(nabokihms): ent MySQL does not retry on deadlocks (Error 1213, SQLSTATE 40001:
-	// Deadlock found when trying to get lock; try restarting transaction).
-	// Under high contention most updates fail.
-	// conformance.RunConcurrencyTests(t, newStorage)
+	conformance.RunConcurrencyTests(t, newStorage)
 }
 
 func TestMySQL8(t *testing.T) {
@@ -131,11 +127,7 @@ func TestMySQL8(t *testing.T) {
 	}
 	conformance.RunTests(t, newStorage)
 	conformance.RunTransactionTests(t, newStorage)
-
-	// TODO(nabokihms): ent MySQL 8 does not retry on deadlocks (Error 1213, SQLSTATE 40001:
-	// Deadlock found when trying to get lock; try restarting transaction).
-	// Under high contention most updates fail.
-	// conformance.RunConcurrencyTests(t, newStorage)
+	conformance.RunConcurrencyTests(t, newStorage)
 }
 
 func TestMySQLDSN(t *testing.T) {

storage/ent/postgres_test.go

@@ -65,11 +65,7 @@ func TestPostgres(t *testing.T) {
 	}
 	conformance.RunTests(t, newStorage)
 	conformance.RunTransactionTests(t, newStorage)
-
-	// TODO(nabokihms): ent Postgres uses SERIALIZABLE transaction isolation for UpdateRefreshToken,
-	// but does not retry on serialization failures (pq: could not serialize access due to
-	// concurrent update, SQLSTATE 40001). Under high contention most updates fail immediately.
-	// conformance.RunConcurrencyTests(t, newStorage)
+	conformance.RunConcurrencyTests(t, newStorage)
 }
 
 func TestPostgresDSN(t *testing.T) {

storage/sql/config.go

@@ -4,7 +4,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"database/sql"
-	"errors"
 	"fmt"
 	"log/slog"
 	"net"
@@ -18,22 +17,19 @@ import (
 	"github.com/lib/pq"
 
 	"github.com/dexidp/dex/storage"
+	"github.com/dexidp/dex/storage/sqlretry"
 )
 
 const (
 	// postgres error codes
-	pgErrUniqueViolation      = "23505" // unique_violation
-	pgErrSerializationFailure = "40001" // serialization_failure
-	pgErrDeadlockDetected     = "40P01" // deadlock_detected
+	pgErrUniqueViolation = "23505" // unique_violation
 )
 
 const (
 	// MySQL error codes
 	mysqlErrDupEntry            = 1062
 	mysqlErrDupEntryWithKeyName = 1586
 	mysqlErrUnknownSysVar       = 1193
-	mysqlErrLockDeadlock        = 1213 // ER_LOCK_DEADLOCK
-	mysqlErrLockWaitTimeout     = 1205 // ER_LOCK_WAIT_TIMEOUT
 )
 
 const (
@@ -200,15 +196,7 @@ func (p *Postgres) open(logger *slog.Logger) (*conn, error) {
 		return sqlErr.Code == pgErrUniqueViolation
 	}
 
-	retryCheck := func(err error) bool {
-		var sqlErr *pq.Error
-		if !errors.As(err, &sqlErr) {
-			return false
-		}
-		return sqlErr.Code == pgErrSerializationFailure || sqlErr.Code == pgErrDeadlockDetected
-	}
-
-	c := &conn{db, &flavorPostgres, logger, errCheck, retryCheck}
+	c := &conn{db, &flavorPostgres, logger, errCheck, sqlretry.IsSerializationFailure}
 	if _, err := c.migrate(); err != nil {
 		return nil, fmt.Errorf("failed to perform migrations: %v", err)
 	}
@@ -320,16 +308,7 @@ func (s *MySQL) open(logger *slog.Logger) (*conn, error) {
 			sqlErr.Number == mysqlErrDupEntryWithKeyName
 	}
 
-	retryCheck := func(err error) bool {
-		var sqlErr *mysql.MySQLError
-		if !errors.As(err, &sqlErr) {
-			return false
-		}
-		return sqlErr.Number == mysqlErrLockDeadlock ||
-			sqlErr.Number == mysqlErrLockWaitTimeout
-	}
-
-	c := &conn{db, &flavorMySQL, logger, errCheck, retryCheck}
+	c := &conn{db, &flavorMySQL, logger, errCheck, sqlretry.IsSerializationFailure}
 	if _, err := c.migrate(); err != nil {
 		return nil, fmt.Errorf("failed to perform migrations: %v", err)
 	}

storage/sql/sql.go

@@ -4,13 +4,14 @@ package sql
 import (
 	"database/sql"
 	"log/slog"
-	"math/rand"
 	"regexp"
 	"time"
 
 	// import third party drivers
 	_ "github.com/lib/pq"
 	_ "github.com/mattn/go-sqlite3"
+
+	"github.com/dexidp/dex/storage/sqlretry"
 )
 
 // flavor represents a specific SQL implementation, and is used to translate query strings
@@ -161,20 +162,6 @@ func (c *conn) QueryRow(query string, args ...interface{}) *sql.Row {
 	return c.db.QueryRow(query, c.translateArgs(args)...)
 }
 
-// Bounded retry policy for transient transaction failures (serialization
-// failures / deadlocks under SERIALIZABLE isolation). Postgres requires
-// applications to be prepared to retry transactions aborted with SQLSTATE
-// 40001; see https://www.postgresql.org/docs/current/transaction-iso.html.
-//
-// This is applied narrowly to execTxWithRetry calls, 8 retries comfortably
-// absorbs realistic refresh-token contention (a handful of concurrent rotations
-// of the same token).
-const txMaxRetries = 8
-
-// txRetryBackoffMs is the per-attempt base backoff in milliseconds. The last
-// element is reused for any attempt beyond its length;
-var txRetryBackoffMs = []int{5, 10, 25, 50, 100}
-
 // ExecTx runs a method which operates on a transaction.
 func (c *conn) ExecTx(fn func(tx *trans) error) error {
 	if c.flavor.executeTx != nil {
@@ -198,19 +185,14 @@ func (c *conn) ExecTx(fn func(tx *trans) error) error {
 // serialization/deadlock failures. Retrying is safe because the closure re-reads
 // current state in a fresh transaction on each attempt.
 func (c *conn) execTxWithRetry(fn func(tx *trans) error) error {
-	for attempt := 0; ; attempt++ {
-		err := c.ExecTx(fn)
-		if err == nil || c.txRetryCheck == nil || !c.txRetryCheck(err) || attempt >= txMaxRetries {
-			return err
-		}
-
-		c.logger.Warn("retrying transaction after transient failure",
-			"attempt", attempt+1, "max_attempts", txMaxRetries, "err", err)
-
-		backoff := txRetryBackoffMs[min(attempt, len(txRetryBackoffMs)-1)]
-		jitter := rand.Intn(backoff + 1)
-		time.Sleep(time.Duration(backoff+jitter) * time.Millisecond)
-	}
+	return sqlretry.Do(
+		func() error { return c.ExecTx(fn) },
+		c.txRetryCheck,
+		func(attempt int, err error) {
+			c.logger.Warn("retrying transaction after transient failure",
+				"attempt", attempt, "max_attempts", sqlretry.MaxRetries, "err", err)
+		},
+	)
 }
 
 type trans struct {

storage/sql/sql_retry_test.go

@@ -8,6 +8,8 @@ import (
 	"errors"
 	"log/slog"
 	"testing"
+
+	"github.com/dexidp/dex/storage/sqlretry"
 )
 
 // errRetryable is a sentinel used to drive the txRetryCheck in tests.
@@ -60,8 +62,8 @@ func TestExecTxWithRetryGivesUpAfterMaxRetries(t *testing.T) {
 	if !errors.Is(err, errRetryable) {
 		t.Fatalf("expected retryable error to be returned, got: %v", err)
 	}
-	// 1 initial attempt + txMaxRetries retries.
-	if want := txMaxRetries + 1; attempts != want {
+	// 1 initial attempt + sqlretry.MaxRetries retries.
+	if want := sqlretry.MaxRetries + 1; attempts != want {
 		t.Fatalf("expected %d attempts, got %d", want, attempts)
 	}
 }

storage/sql/sqlite.go

@@ -45,8 +45,6 @@ func (s *SQLite3) open(logger *slog.Logger) (*conn, error) {
 		return sqlErr.ExtendedCode == sqlite3.ErrConstraintPrimaryKey
 	}
 
-	// SQLite serializes writes with a single writer lock, so it does not
-	// surface serialization failures the way Postgres/MySQL do; no retries.
 	c := &conn{db, &flavorSQLite3, logger, errCheck, nil}
 	if _, err := c.migrate(); err != nil {
 		return nil, fmt.Errorf("failed to perform migrations: %v", err)

storage/sqlretry/sqlretry.go

@@ -0,0 +1,84 @@
+// Package sqlretry provides a shared retry policy for transient SQL transaction
+// failures (serialization failures / deadlocks under SERIALIZABLE isolation).
+//
+// It is used by both SQL-backed storages — storage/sql (raw database/sql) and
+// storage/ent (the ent ORM) — which both run refresh-token rotation in a
+// SERIALIZABLE transaction and must be prepared to retry transactions the
+// database aborts under concurrency.
+package sqlretry
+
+import (
+	"errors"
+	"math/rand"
+	"time"
+
+	"github.com/go-sql-driver/mysql"
+	"github.com/lib/pq"
+)
+
+// MaxRetries is the maximum number of retries; the initial attempt is not
+// counted. Postgres requires applications to be prepared to retry transactions
+// aborted with SQLSTATE 40001; see
+// https://www.postgresql.org/docs/current/transaction-iso.html.
+//
+// 8 retries comfortably absorbs realistic refresh-token contention; combined
+// with jittered backoff — which de-synchronizes the retrying transactions so
+// effective concurrency at any instant stays low — it also survives pathological
+// high-contention conformance tests, while bounding worst-case latency.
+const MaxRetries = 8
+
+// backoffMs is the per-attempt base backoff in milliseconds. The last element is
+// reused for any attempt beyond its length; a random jitter of up to the same
+// magnitude is added on top to de-synchronize retrying transactions (avoid a
+// thundering herd).
+var backoffMs = []int{5, 10, 25, 50, 100}
+
+const (
+	pgErrSerializationFailure = "40001" // serialization_failure
+	pgErrDeadlockDetected     = "40P01" // deadlock_detected
+	mysqlErrLockDeadlock      = 1213    // ER_LOCK_DEADLOCK
+	mysqlErrLockWaitTimeout   = 1205    // ER_LOCK_WAIT_TIMEOUT
+)
+
+// IsSerializationFailure reports whether err is a transient transaction failure
+// (serialization failure or deadlock) that is safe to retry by re-running the
+// whole transaction. It understands both the lib/pq and go-sql-driver/mysql
+// error types, unwrapping the error chain with errors.As.
+func IsSerializationFailure(err error) bool {
+	var pqErr *pq.Error
+	if errors.As(err, &pqErr) {
+		return pqErr.Code == pgErrSerializationFailure || pqErr.Code == pgErrDeadlockDetected
+	}
+
+	var myErr *mysql.MySQLError
+	if errors.As(err, &myErr) {
+		return myErr.Number == mysqlErrLockDeadlock || myErr.Number == mysqlErrLockWaitTimeout
+	}
+
+	return false
+}
+
+// Do runs fn, retrying the whole operation on transient serialization/deadlock
+// failures with bounded, jittered backoff. Retrying is safe only when fn opens a
+// fresh transaction and re-reads current state on each attempt.
+//
+// isRetryable classifies an error as transient; if nil, no retries are performed
+// (used by backends, such as SQLite, that don't surface serialization failures).
+// onRetry, if non-nil, is called before each backoff sleep with the upcoming
+// (1-based) attempt number and the error that triggered the retry — e.g. for
+// logging.
+func Do(fn func() error, isRetryable func(error) bool, onRetry func(attempt int, err error)) error {
+	for attempt := 0; ; attempt++ {
+		err := fn()
+		if err == nil || isRetryable == nil || !isRetryable(err) || attempt >= MaxRetries {
+			return err
+		}
+
+		if onRetry != nil {
+			onRetry(attempt+1, err)
+		}
+
+		backoff := backoffMs[min(attempt, len(backoffMs)-1)]
+		time.Sleep(time.Duration(backoff+rand.Intn(backoff+1)) * time.Millisecond)
+	}
+}