Skip to content

fix: re-authorize during retries #562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
erezrokah wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: re-authorize during retries #562

erezrokah wants to merge 1 commit into from

Conversation

@erezrokah
Copy link

@erezrokah erezrokah commented Dec 11, 2025

I already signed the CLA a while back for https://github.com/okta/okta-sdk-golang/pulls?q=is%3Apr+author%3Aerezrokah+is%3Aclosed. I can send it again if you don't have it

Summary

Fixes #554

Instead of #555 per #555 (comment)

Type of PR

  • Bug Fix (non-breaking fixes to existing functionality)
  • New Feature (non-breaking changes that add new functionality)
  • Documentation update
  • Test Updates
  • Other (Please describe the type)

Test Information

  • My PR required test updates

Go Version: go version go1.25.4 darwin/arm64
Os Version: MacOS 26.1
OpenAPI Spec Version:

Signoff

  • I have submitted a CLA for this PR
  • Each commit message explains what the commit does
  • I have updated documentation to explain what my PR does
  • My code is covered by tests if required
  • I ran make fmt on my code
  • I did not edit any automatically generated files

@erezrokah erezrokah mentioned this pull request Dec 11, 2025
Closed
12 tasks
erezrokah
erezrokah commented Dec 11, 2025
View reviewed changes
okta/client.go
// Always rewind the request body when non-nil.
if bodyReader != nil {
req.Body = bodyReader()
if bOff.retryCount > 0 && (c.cfg.Okta.Client.AuthorizationMode == "PrivateKey" || c.cfg.Okta.Client.AuthorizationMode == "JWT") {
Copy link
Author

@erezrokah erezrokah Dec 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Difference from https://github.com/okta/terraform-provider-okta/pull/2421/files, we only clear the token when retryCount > 0 otherwise the token is generated on each initial request which is wasteful I think

erezrokah
erezrokah commented Dec 11, 2025
View reviewed changes
okta/client.go
headerParams := make(map[string]string)
queryParams := req.URL.Query()
req.URL.RawQuery = ""
auth, err := c.prepareRequest(ctx, req.URL.String(), req.Method, nil, headerParams, queryParams, url.Values{}, []formFile{})
Copy link
Author

@erezrokah erezrokah Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to use the full URL here without the query otherwise I got an error that the htu claim is invalid

erezrokah
erezrokah commented Dec 11, 2025
View reviewed changes
okta/client.go
}
operation := func() (*http.Response, error) {
// Always rewind the request body when non-nil.
if bodyReader != nil {
Copy link
Author

@erezrokah erezrokah Dec 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another difference from https://github.com/okta/terraform-provider-okta/pull/2421/files, this is already done inside the if and else so I removed the top level req.Body = bodyReader()

erezrokah
erezrokah commented Dec 11, 2025
View reviewed changes
okta/client.go
req.Body = bodyReader()
if bOff.retryCount > 0 && (c.cfg.Okta.Client.AuthorizationMode == "PrivateKey" || c.cfg.Okta.Client.AuthorizationMode == "JWT") {
// Clear the token cache to force fresh authorization
// This will get a new access token and potentially a new nonce
Copy link
Author

@erezrokah erezrokah Dec 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure how this works with concurrent API requests, don't they share the cache so we can have race conditions here?

Copy link
Author

@erezrokah erezrokah Dec 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the impact is that tokens can be generated more than needed:

  1. Request 1 retries, clears cache, calls prepareRequest which generates a new token
  2. Concurrently request 2 retires, clears cache, generates new token but it could have used the token from ⬆️

Regardless it seems the token cache is mostly best effort as multiple concurrent requests can override the cache at anytime if a cache entry had expired

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Retries Do not recreate DPop Proof

1 participant

@erezrokah