core/databroker: disable identity manager user refresh when hosted authenticate is used (#4905)

2025-04-29 18:36:30 +02:00 · 2024-01-12 13:30:03 -07:00 · 2024-01-12 13:30:03 -07:00 · 5e0079c649
commit 5e0079c649
parent 1080a33443
2 changed files with 21 additions and 1 deletions
--- a/config/options.go
+++ b/config/options.go
@ -841,6 +841,24 @@ func (o *Options) UseStatelessAuthenticateFlow() bool {
 	return urlutil.IsHostedAuthenticateDomain(u.Hostname())
 }

+// SupportsUserRefresh returns true if the config options support refreshing of user sessions.
+func (o *Options) SupportsUserRefresh() bool {
+	if o == nil {
+		return false
+	}
+
+	if o.Provider == "" {
+		return false
+	}
+
+	u, err := o.GetInternalAuthenticateURL()
+	if err != nil {
+		return false
+	}
+
+	return !urlutil.IsHostedAuthenticateDomain(u.Hostname())
+}
+
 // GetAuthorizeURLs returns the AuthorizeURLs in the options or 127.0.0.1:5443.
 func (o *Options) GetAuthorizeURLs() ([]*url.URL, error) {
 	if IsAll(o.Services) && o.AuthorizeURLString == "" && len(o.AuthorizeURLStrings) == 0 {
--- a/databroker/cache.go
+++ b/databroker/cache.go
@ -160,13 +160,15 @@ func (c *DataBroker) update(ctx context.Context, cfg *config.Config) error {
 		manager.WithEventManager(c.eventsMgr),
 	}

-	if cfg.Options.Provider != "" {
+	if cfg.Options.SupportsUserRefresh() {
 		authenticator, err := identity.NewAuthenticator(oauthOptions)
 		if err != nil {
 			log.Error(ctx).Err(err).Msg("databroker: failed to create authenticator")
 		} else {
 			options = append(options, manager.WithAuthenticator(authenticator))
 		}
+	} else {
+		log.Info(ctx).Msg("databroker: disabling refresh of user sessions")
 	}

 	if c.manager == nil {