From 6dde2839df46d2b42c7b9cf7ecb54a2a3783a2c6 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Wed, 18 Feb 2026 12:47:32 +0100 Subject: [PATCH] fix(oidc_auth): Fix userinfo cache expiration logic When the userinfo claims store in the usercache is found to be expired, do not return an error but ignore the cached entry and force a re-verification of the access token (either via parsing the JWT again or via a UserInfo lookup). This is required for setups with non-JWT access tokes where the expiry date set in the cached claims does not reflect the actual token expiry, but just the CacheTTL. Fixes: #1493 --- services/proxy/pkg/middleware/oidc_auth.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/proxy/pkg/middleware/oidc_auth.go b/services/proxy/pkg/middleware/oidc_auth.go index b797fcac0d..18e0ef3344 100644 --- a/services/proxy/pkg/middleware/oidc_auth.go +++ b/services/proxy/pkg/middleware/oidc_auth.go @@ -8,7 +8,6 @@ import ( "strings" "time" - "github.com/golang-jwt/jwt/v5" "github.com/opencloud-eu/opencloud/pkg/log" "github.com/opencloud-eu/opencloud/pkg/oidc" "github.com/pkg/errors" @@ -68,12 +67,13 @@ func (m *OIDCAuthenticator) getClaims(token string, req *http.Request) (map[stri if len(record) > 0 { if err = msgpack.Unmarshal(record[0].Value, &claims); err == nil { m.Logger.Debug().Interface("claims", claims).Msg("cache hit for userinfo") - if ok := verifyExpiresAt(claims, m.TimeFunc()); !ok { - return nil, false, jwt.ErrTokenExpired + if verifyExpiresAt(claims, m.TimeFunc()) { + return claims, false, nil } - return claims, false, nil + m.Logger.Debug().Msg("cached userinfo claims expired, ignoring cache") + } else { + m.Logger.Error().Err(err).Msg("failed to unmarshal cached userinfo, ignoring cache") } - m.Logger.Error().Err(err).Msg("could not unmarshal userinfo") } aClaims, claims, err := m.oidcClient.VerifyAccessToken(req.Context(), token)