Require logging in again when OIDC tokens can't be refreshed by marius-mather · Pull Request #22449 · galaxyproject/galaxy

marius-mather · 2026-04-10T04:05:23Z

We want to ensure users have a current, valid access token from the OIDC provider, so when attempting to refresh (due to access token expiry), log the user out and redirect to OIDC login. This is gated behind an oidc_require_refresh config flag.

How to test the changes?

(Select all options that apply)

I've included appropriate automated tests.
This is a refactoring of components with existing test coverage.
Instructions for manual testing are as follows:
1. [add testing steps and prerequisites here if you didn't write automated tests covering all your changes]

License

I agree to license these and all my past contributions to the core galaxy codebase under the MIT license.

… provider

mvdbeek · 2026-04-14T14:53:33Z

@uwwint do you want to take a look at this ?

nuwang

Looks good to me except for one minor issue.

nuwang · 2026-04-13T14:27:12Z

lib/galaxy/webapps/base/webapp.py

+        log.info("OIDC refresh failed terminally for provider `%s`, forcing re-login", reauth_provider)
+        if self.galaxy_session:
+            self.handle_user_logout()
+        if self.environ.get("is_api_request", False):


I think a test case for the API auth case may be missing?

no worries, I've added unit tests for API requests

uwwint · 2026-04-15T04:19:38Z

@uwwint do you want to take a look at this ?

I was involved in this one @mvdbeek ;)

marius-mather added 4 commits April 10, 2026 13:45

feat: add 'oidc_require_refresh' config variable

9998e7b

feat: check if reauthentication is required when refreshing with OIDC…

e3ebc68

… provider

feat: logout and redirect to login on a failed ODIC refresh

e36260c

test: add tests of OIDC refresh behaviour

c3e1580

github-project-automation bot added this to Galaxy Dev - weeklies Apr 10, 2026

github-project-automation bot moved this to Needs Review in Galaxy Dev - weeklies Apr 10, 2026

github-actions bot added area/testing area/auth Authentication and authorization labels Apr 10, 2026

github-actions bot added this to the 26.1 milestone Apr 10, 2026

marius-mather added 3 commits April 10, 2026 14:20

chore: linting

0f2b2f5

chore: fix mypy errors in tests

ce69d1b

chore: linting again

23cb47f

nuwang reviewed Apr 14, 2026

View reviewed changes

marius-mather added 2 commits April 15, 2026 13:49

test: add test of expired token for API request

7564e70

test: check API requests are unaffected on successful refresh

8cbebf3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Require logging in again when OIDC tokens can't be refreshed#22449

Require logging in again when OIDC tokens can't be refreshed#22449
marius-mather wants to merge 9 commits intogalaxyproject:devfrom
AustralianBioCommons:oidc-require-refresh

marius-mather commented Apr 10, 2026

Uh oh!

mvdbeek commented Apr 14, 2026

Uh oh!

nuwang left a comment

Uh oh!

nuwang Apr 13, 2026

Uh oh!

marius-mather Apr 15, 2026

Uh oh!

uwwint commented Apr 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

marius-mather commented Apr 10, 2026

How to test the changes?

License

Uh oh!

mvdbeek commented Apr 14, 2026

Uh oh!

nuwang left a comment

Choose a reason for hiding this comment

Uh oh!

nuwang Apr 13, 2026

Choose a reason for hiding this comment

Uh oh!

marius-mather Apr 15, 2026

Choose a reason for hiding this comment

Uh oh!

uwwint commented Apr 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants