identity: disable session refresh for idp token sessions, fix query cache invalidation (#5495)

2025-06-03 03:12:50 +02:00 · 2025-02-24 15:33:23 -07:00 · 2025-02-24 15:33:23 -07:00 · a9e26b155d
commit a9e26b155d
parent ff127e61f9
7 changed files with 59 additions and 31 deletions
--- a/config/session.go
+++ b/config/session.go
@ -301,6 +301,7 @@ func (c *incomingIDPTokenSessionCreator) newSessionFromIDPClaims(
 	if aud, ok := claims.GetAudience(); ok {
 		s.Audience = aud
 	}
+	s.RefreshDisabled = true
 	return s
 }

--- a/config/session_test.go
+++ b/config/session_test.go
@ -371,10 +371,11 @@ func Test_newSessionFromIDPClaims(t *testing.T) {
 			"empty claims", "S1",
 			nil,
 			&session.Session{
-				Id:         "S1",
-				AccessedAt: timestamppb.New(tm1),
-				ExpiresAt:  timestamppb.New(tm1.Add(time.Hour * 14)),
-				IssuedAt:   timestamppb.New(tm1),
+				Id:              "S1",
+				AccessedAt:      timestamppb.New(tm1),
+				ExpiresAt:       timestamppb.New(tm1.Add(time.Hour * 14)),
+				IssuedAt:        timestamppb.New(tm1),
+				RefreshDisabled: true,
 			},
 		},
 		{
@ -398,6 +399,7 @@ func Test_newSessionFromIDPClaims(t *testing.T) {
 					"iat": {tm2.Unix()},
 					"exp": {tm3.Unix()},
 				}.ToPB(),
+				RefreshDisabled: true,
 			},
 		},
 	} {
@ -490,6 +492,7 @@ func TestIncomingIDPTokenSessionCreator_CreateSession(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, "U1", s.GetUserId())
 		assert.Equal(t, "ACCESS_TOKEN", s.GetOauthToken().GetAccessToken())
+		assert.True(t, s.GetRefreshDisabled())
 	})
 	t.Run("identity_token", func(t *testing.T) {
 		t.Parallel()
@ -530,5 +533,6 @@ func TestIncomingIDPTokenSessionCreator_CreateSession(t *testing.T) {
 		s, err := c.CreateSession(ctx, cfg, route, req)
 		assert.NoError(t, err)
 		assert.Equal(t, "U1", s.GetUserId())
+		assert.True(t, s.GetRefreshDisabled())
 	})
 }