mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-05 20:48:22 +00:00
38b55f06ba
Our handling for concurrent refresh of access tokens suffered from a race condition where: 1. Thread A has just finished with updating the existing token document, but hasn't stored the new tokens in a new document yet 2. Thread B attempts to refresh the same token and since the original token document is marked as refreshed, it decrypts and gets the new access token and refresh token and returns that to the caller of the API. 3. The caller attempts to use the newly refreshed access token immediately and gets an authentication error since thread A still hasn't finished writing the document. This commit changes the behavior so that Thread B, would first try to do a Get request for the token document where it expects that the access token it decrypted is stored(with exponential backoff ) and will not respond until it can verify that it reads it in the tokens index. That ensures that we only ever return tokens in a response if they are already valid and can be used immediately It also adjusts TokenAuthIntegTests to test authenticating with the tokens each thread receives, which would fail without the fix. Resolves: #54289
Elastic License Functionality
This directory tree contains files subject to the Elastic License. The files subject to the Elastic License are grouped in this directory to clearly separate them from files licensed under the Apache License 2.0.