Skip to content

bug: api key not refreshed when api key expired but oauth2 access token not #17070

New issue
New issue
Closed
Bug
#17878
Closed
bug: api key not refreshed when api key expired but oauth2 access token not#17070
Bug
#17878
Assignees
spikecurtis
Labels
s2Broken use cases or features (with a workaround). Only humans may set this.
@hugodutka

Description

@hugodutka
hugodutka
opened on Mar 24, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

We have a system that refreshes expired api keys backed by oauth2 if a refresh token is available.

However, in the case when the api key is expired but the oauth2 access token isn’t, the refresh logic is not triggered, and the api key ExpiresAt field is not updated.

Relavant check:

coder/coderd/httpmw/apikey.go

Line 261 in bbe7dac

if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {

Early exit if ExpiresAt is not updated.

coder/coderd/httpmw/apikey.go

Lines 319 to 324 in bbe7dac

if key.ExpiresAt.Before(now) {
return optionalWrite(http.StatusUnauthorized, codersdk.Response{
Message: SignedOutErrorMessage,
Detail: fmt.Sprintf("API key expired at %q.", key.ExpiresAt.String()),
})
}

Relevant Log Output



Expected Behavior


I'd expect the ExpiresAt field to be updated when a valid OAuth2 access token is available.


Steps to Reproduce


The way I triggered it is I manually updated the ExpiresAt field on an api key to the current time via a SQL query and then refreshed the Coder web UI.


Environment


    

  • Host OS: Linux
    • 

  • Coder version: 2.20.2
    • 



Additional Context


No response
Metadata
Metadata
Assignees
Labels
s2Broken use cases or features (with a workaround). Only humans may set this.
Type
Bug
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions