Skip to content

Fix SSO token expiration: use JWT lifetime, not API token lifetime#1728

Merged
jedisct1 merged 4 commits into
mainfrom
fdenis/ssofix
Apr 27, 2026
Merged

Fix SSO token expiration: use JWT lifetime, not API token lifetime#1728
jedisct1 merged 4 commits into
mainfrom
fdenis/ssofix

Conversation

@jedisct1
Copy link
Copy Markdown
Contributor

@jedisct1 jedisct1 commented Apr 20, 2026

Change summary

The expiration status for SSO tokens was based on the short-lived JWT refresh token (~30 min) rather than the actual API token (~12 hours), causing spurious warnings and premature re-authentication prompts.

The fix makes both code paths prefer APITokenExpiresAt (already populated by EnrichWithTokenSelf during login) as the authoritative expiration source for SSO tokens, falling back to the JWT fields only when the API token metadata is unavailable.

All Submissions:

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Changes to Core Features:

  • Have you written new tests for your core changes, as applicable?
  • Have you successfully run tests with your changes locally?

User Impact

Users with SSO tokens will no longer see false "session expires in N minutes" warnings immediately after login, and will no longer be forced to re-authenticate after ~30 minutes when their token is still valid for hours.

Are there any considerations that need to be addressed for release?

None.

@jedisct1 jedisct1 requested a review from a team as a code owner April 20, 2026 15:13
@jedisct1 jedisct1 requested a review from kpfleming April 20, 2026 15:13
kpfleming
kpfleming approved these changes Apr 20, 2026
View reviewed changes
Comment thread CHANGELOG.md Outdated
jedisct1 and others added 2 commits April 21, 2026 16:01
@jedisct1
Fix SSO token expiration: use JWT lifetime, not API token lifetime
69148c0 
The expiration status for SSO tokens was based on the short-lived JWT
refresh token (~30 min) rather than the actual API token (~12 hours),
causing spurious warnings and premature re-authentication prompts.
@jedisct1 @kpfleming
Update CHANGELOG.md
b547c3e 
Co-authored-by: Kevin P. Fleming <kpfleming@users.noreply.github.com>
@jedisct1 jedisct1 enabled auto-merge (squash) April 27, 2026 13:42
@jedisct1 jedisct1 merged commit 0d8d9bd into main Apr 27, 2026
14 checks passed
@jedisct1 jedisct1 deleted the fdenis/ssofix branch April 27, 2026 13:55
@BrewTestBot BrewTestBot mentioned this pull request May 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kpfleming kpfleming kpfleming approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jedisct1 @kpfleming