Conversation
The CLI requests `offline_access` on login, and Keycloak honours it — the issued refresh token has `typ: Offline` and never expires. But Keycloak's wire format signals "no expiry" by setting `refresh_expires_in: 0`, and the CLI was naively computing `RefreshExpiresAt = time.Now().Add(0 * time.Second)`. That stored the expiry as the wall-clock time of login itself, so the very next `grounds <cmd>` (or even `grounds doctor`) saw RefreshExpiresAt < now and demanded `grounds login`. The actual offline token sat unused in the keychain the whole time. Fix: - New `RefreshExpiryFromSeconds(seconds int) time.Time` helper that returns the zero `time.Time` when seconds <= 0 (the canonical "no expiry" sentinel) and `time.Now().Add(seconds * time.Second)` otherwise. - New `(*Credentials).IsRefreshAlive()` predicate: zero time means alive; otherwise compare to wall clock. - All three writers (login flow's CredentialsFromToken, source.go's inline refresh, doctor.go's inline refresh) go through the new helper. - All three readers (source.go and doctor.go gates, plus doctor.go's status summary) go through IsRefreshAlive. Doctor's "valid for X" line now prints "no expiry (offline token)" when applicable. Tests cover the boundary cases: seconds=0 → zero time, negative → zero time, positive → finite future, IsRefreshAlive matrix. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Login requests
offline_accessand Keycloak issues a real offline (never-expiring) refresh token, but signals 'no expiry' on the wire by settingrefresh_expires_in: 0. The CLI was naively doingnow + 0 = now, so every offline token was treated as 'expired the moment after login'. NewRefreshExpiryFromSecondshelper +IsRefreshAlivepredicate fix the writer + reader sides; tests cover the boundaries.