fix(push): pre-refresh access token before invoking Gradle plugin#18
Merged
fix(push): pre-refresh access token before invoking Gradle plugin#18
Conversation
The Gradle plugin reads credentials.json directly via CredentialResolver and rejects expired access tokens — without ever calling the OIDC refresh endpoint. Keycloak's default access-token lifetime is ~5min, so users had to re-run 'grounds login' between every push attempt that took longer than that to set up. Wire the CLI's existing FileTokenSource.Token() in front of the gradle.Run() call: it transparently refreshes the access token (using the still-valid refresh token) and persists the new credentials to disk before Gradle reads the file. Skip the pre-refresh when GROUNDS_TOKEN is set — the plugin uses the env var directly via Credentials.FromEnv, bypassing the file. Reported by lusu007: 'läuft gefühlt alle 5min ab'.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
`grounds push push` was forcing users to re-run `grounds login` between every push attempt that took longer than ~5 minutes to set up. Reported by @lusu007: "läuft gefühlt alle 5min ab".
Root cause: the Gradle plugin reads `credentials.json` directly via `CredentialResolver` and rejects expired access tokens — but never calls the OIDC refresh endpoint itself. Keycloak's default access-token lifetime is ~5 min. The CLI's auto-refresh logic in `FileTokenSource.Token()` was only invoked by CLI-internal API calls (`grounds cluster up`, etc.), never by the wrapped Gradle task.
Fix
Wire `FileTokenSource.Token()` in front of the `gradle.Run()` call. It:
When `GROUNDS_TOKEN` is set, skip the pre-refresh — the plugin uses the env var directly via `Credentials.FromEnv` and never touches the file.
Test plan
Companion to #16 (credentials.json version field).
🤖 Generated with Claude Code