fix: self-heal OIDC token on a reused vmx_client() (GEN-2344)#14
Merged
Conversation
Resolve the bearer token per request via a provider closure instead of freezing the OIDC access token at construction. A persistent `con <- vmx_client()` (the dominant R idiom) now re-reads the cache and silently refreshes the short-lived access token from the cached refresh token, so it keeps working across a full session instead of throwing vmx_auth_error minutes in. Also addresses the agreed PR #13 review nits: - Wrap .vmx_oidc_device_flow() failures (user-denied / code-expired / polling-exhausted) as vmx_auth_error so they stay in the vmx_error hierarchy. - Don't silently clobber a config-mismatched cache on interactive auto-login: warn before overwriting (the cache is shared with the CLI); non-interactive raises a message naming the mismatch. - Reword the "no usable cached token" message so it is accurate when a token exists but is expired-without-refresh or for another config. - Document VMX_OIDC_TOKEN_CACHE as a testing-only override. Tests: reused-client stale path (the structural gap), skew-boundary (valid token returned without refresh; within-skew refreshed), config-mismatch handling, and device-flow error wrapping. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
con <- vmx_client()silently refreshes the short-lived access token from the cached refresh token and keeps working across a full session (no morevmx_auth_errorminutes in)..vmx_oidc_device_flow()failures (user-denied / code-expired / polling-exhausted) asvmx_auth_error; warn before overwriting a config-mismatched cache on interactive auto-login (and name the mismatch non-interactively) instead of silently clobbering the CLI-shared cache; reword the "no usable cached token" message to state the actual cause; documentVMX_OIDC_TOKEN_CACHEas testing-only.Closes GEN-2344
Design note
Scope offered either refresh-on-401+retry or a token-provider closure. Chose the closure (Option B): re-resolving per request lets the existing skew-based proactive refresh self-heal before a 401, whereas refresh-on-401 against a frozen
client$tokenwould 401→refresh→retry on every request after expiry (the frozen string never updates on the immutable client object). For the config-mismatch nit, chose the warn-before-overwriting floor (explicitly permitted by scope) so interactive auto-login still works while eliminating the silent-clobber harm.Test plan
vmx_auth_errornaming the mismatch.vmx_auth_error.🤖 Generated with Claude Code