Skip to content

Implement OIDC metadata caching with expiration #979

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 10 commits into from
Closed

Implement OIDC metadata caching with expiration #979

wants to merge 10 commits into from

Conversation

lovasoa
Copy link
Collaborator

@lovasoa lovasoa commented Jul 28, 2025

Implement OIDC provider metadata caching to support key rotation and improve robustness.

Previously, OIDC provider metadata was discovered only once at startup and never refreshed, which prevented the system from picking up rotated signing keys and could lead to authentication failures or security vulnerabilities. This PR introduces a caching mechanism that refreshes the metadata and recreates the OIDC client on-demand, with a 24-hour cache duration and a 5-minute minimum refresh interval, ensuring key rotation is handled gracefully while providing robust fallback behavior.

Open in WebOpen in CursorOpen Docs

@lovasoa
Copy link
Collaborator Author

lovasoa commented Jul 28, 2025

reported by @alexisrc1

@lovasoa
Copy link
Collaborator Author

lovasoa commented Jul 28, 2025

@cursor review

cursor[bot]
cursor bot reviewed Jul 28, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bugbot free trial expires on August 9, 2025
Learn more in the Cursor dashboard.

cursoragent and others added 5 commits July 28, 2025 23:38
@cursoragent @lovasoa
Enhance OIDC client refresh with HTTP client injection and error hand…
e544461 
…ling

Co-authored-by: contact <[email protected]>
@cursoragent @lovasoa
Make get_client async and remove block_on wrapper
febbe81 
Co-authored-by: contact <[email protected]>
@lovasoa
Update oidc.rs
78e24e1
@cursoragent @lovasoa
Improve OIDC client retrieval with staleness warning
d5bbcdc 
Co-authored-by: contact <[email protected]>
@cursoragent
Merge main: integrate OIDC metadata caching with latest main branch f…
14eb524 
…eatures

- Preserved production-grade OIDC metadata caching implementation
- Added support for multiple JWT audiences from main branch
- Updated function signatures to match main (process_oidc_callback, get_authenticated_user_info)
- Added handle_authenticated_oidc_callback support for already-authenticated users
- Maintained async caching functionality with proper HTTP client access
- Resolved all merge conflicts while keeping both new features and security fixes
@lovasoa lovasoa closed this Jul 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lovasoa @cursoragent