Carry forward upstream refresh token on re-authorization

[jhrozek]

Summary

This PR addresses Root Cause B of #5047: when a user re-authorizes through the auth server, the OAuth callback writes the IdP-supplied RefreshToken verbatim into a new storage.UpstreamTokens row. Real IdPs commonly omit refresh_token on a silent re-auth (Google without prompt=consent, Microsoft Entra when consent was already granted, GitHub/Okta/Auth0/Keycloak similarly). In every case the previously-issued RT remains valid at the IdP — but today the callback overwrites it with "", orphaning the prior good RT and making the next refresh attempt fail. That forces another re-auth, perpetuating the loop.

The fix mirrors the preservation pattern already in place in upstreamTokenRefresher.RefreshAndStore: if the IdP returns no RT, look up the most recent prior row for (userID, providerID) and carry the prior RT into the new row. A defensive prior.UpstreamSubject == providerSubject guard prevents carrying credentials across distinct upstream identities. Storage failures during the lookup are non-fatal — they log a warning and proceed with the empty RT, which is no worse than the current status quo.

• New storage method UpstreamTokenStorage.GetLatestUpstreamTokensForUser(ctx, userID, providerID) keyed on user+provider rather than the primary (sessionID, providerName) key. Implemented on both Memory and Redis backends; both backends pick the highest ExpiresAt so the carry-forward decision is consistent across deployment shapes. Expired rows are intentionally returned (callers want the RT regardless of access-token expiry).
• Callback wiring in pkg/authserver/server/handlers/callback.go extracted into maybeCarryForwardRefreshToken (gocyclo budget) and called between storageTokens construction and StoreUpstreamTokens.
• The Redis backend uses the existing KeyTypeUserUpstream:{userID} reverse-index set (already maintained atomically by storeUpstreamTokensScript), no new Lua script.
• End-to-end integration test against mockoidc + a thin RT-stripping reverse proxy (mockoidc unconditionally issues RTs for authorization_code and offers no API to suppress them).

Out of scope, deferred to a follow-up PR: Root Cause A — the storage rekey from (sessionID, providerID) to (userID, providerID) plus a one-time Redis migration. Trey's comment on #5047 describes the split; this PR is the smaller, surgical fix and is valuable on its own because it ends the orphaning loop even before Root Cause A lands.

Closes #5047 partially (Root Cause B; Root Cause A tracked separately).

Type of change

• Bug fix
• New feature
• Refactoring (no behavior change)
• Dependency update
• Documentation
• Other (describe):

Test plan

• Unit tests (task test)
• E2E tests (task test-e2e)
• Linting (task lint-fix)
• Manual testing (describe below)

Specifically verified:

• go test -race -count=1 ./pkg/authserver/... — all 13 packages pass.
• go test -race -count=1 -v -run TestIntegration_ ./pkg/authserver/ — all 23 integration tests pass, including the new TestIntegration_Callback_PreservesRefreshTokenOnReauth and the existing TestIntegration_FullFlow_NonExpiringUpstreamToken[_Redis] and TestIntegration_MultiUpstreamChain_MixedExpiryOrderings[_Redis] from Fix non-expiring upstream token handling and storage TTL bugs #5092.
• task test — pre-existing failure in pkg/workloads/TestDefaultManager_ListWorkloadsInGroup/workloads_with_empty_group_names is unrelated to this branch.

API Compatibility

• This PR does not break the v1beta1 API, OR the api-break-allowed label is applied and the migration guidance is described above.

The new method on storage.UpstreamTokenStorage is an internal Go interface, not a CRD field. No CRD schema changes.

Changes

File	Change
pkg/authserver/storage/types.go	Adds GetLatestUpstreamTokensForUser to the UpstreamTokenStorage interface with explicit godoc on liveness contract (expired rows are returned) and cross-identity caller responsibility.
pkg/authserver/storage/memory.go	Implements the new method on MemoryStorage — RLock'd iteration, deep-copy on hit, wrapped ErrNotFound on miss.
pkg/authserver/storage/redis.go	Implements the new method on RedisStorage using SMembers over the existing user-upstream reverse index, single MGet, deserialized-ProviderID filtering. Tolerates dangling SMEMBERs and the null deletion tombstone.
pkg/authserver/storage/mocks/mock_storage.go	Regenerated.
pkg/authserver/server/handlers/callback.go	New maybeCarryForwardRefreshToken helper invoked between struct construction and StoreUpstreamTokens. UpstreamSubject guard, non-fatal on storage error.
pkg/authserver/storage/memory_test.go	Table-driven test for the Memory backend (9 subtests including deep-copy assertion, latest-by-ExpiresAt, empty-input validation).
pkg/authserver/storage/redis_test.go	Table-driven test for the Redis backend (9 subtests including the dangling-SMEMBER stale-index case via miniredis SAdd, two-zero-ExpiresAt corner case).
pkg/authserver/server/handlers/callback_test.go	Table-driven TestCallbackHandler_RefreshTokenCarryForward consolidating the 5 callback scenarios (preserve, subject mismatch, fresh wins, no prior row, storage error).
pkg/authserver/server/handlers/helpers_test.go	New withGetLatestUpstreamTokensError option mirroring the existing withStorePendingError pattern; mock checks it first.
pkg/authserver/integration_test.go	TestIntegration_Callback_PreservesRefreshTokenOnReauth — full callback flow against mockoidc with an RT-stripping reverse proxy.

Does this introduce a user-facing change?

Yes. Users who previously hit a refresh-token-orphaning loop on re-authorization (most commonly with Google, Entra, Okta, GitHub, Auth0, Keycloak — all of which omit refresh_token on silent re-auth) will see refreshes succeed instead of failing into another forced re-auth. The fix is silent: no configuration changes are required.

Implementation plan

This PR was planned with Claude Code via a per-step go-expert-developer + MoE (code-reviewer + go-security-reviewer / oauth-expert / redis-valkey-advisor) workflow. Each step landed as a separate commit with independent review.

Approved plan (5 steps)

1. Add GetLatestUpstreamTokensForUser to storage interface + stub implementations + mock regen. Keeps the diff tiny so the interface surface is reviewed independently.
2. Implement Memory backend + 9-case table-driven test. Filters by (UserID, ProviderID), picks highest ExpiresAt, returns deep copy.
3. Implement Redis backend + 9-case table-driven test. Uses the existing KeyTypeUserUpstream reverse set; SMembers → MGet → unmarshal → filter; tolerates stale index entries and null tombstones.
4. Wire the OAuth callback handler + 5-case table-driven test. Helper maybeCarryForwardRefreshToken between storageTokens construction and StoreUpstreamTokens. Non-fatal on storage error. UpstreamSubject guard.
5. End-to-end integration test against mockoidc + RT-stripping reverse proxy. Three legs: initial RT issued → strip flag on, second auth carries forward → third auth as different user gets ErrNotFound and stays empty.

Cross-project research (via MCP-mounted source): Hydra delegates upstream-token storage to its consent app and avoids the bug class. oauth2-proxy has the same blind-overwrite shape but sidesteps it via opaque-ticket session keys (orphaned rows TTL out instead of being clobbered) — their IDToken preservation pattern at pkg/providers/oidc.go:140-180 is the explicit code-level analog we mirror for RefreshToken. infratographer/identity-api is RFC-8693 only, no broker.

Special notes for reviewers

• This is Root Cause B only. Root Cause A — the full storage rekey from (sessionID, providerID) to (userID, providerID) with a one-time Redis migration — is intentionally deferred to a follow-up PR. See Trey's plan in Upstream refresh tokens orphaned on re-authorization #5047. This fix is valuable on its own: even with Root Cause A unresolved, carrying the RT forward to the new sessionID lets the refresher succeed when the new access token expires, ending the re-auth cycle.
• The UpstreamSubject == providerSubject guard is defense-in-depth. Given the current identity model (ResolveUser keys identity by (providerID, providerSubject)), the same internal UserID cannot legitimately have two different upstream subjects on the same provider — same-provider account-linking is a future TODO in storage/types.go. The guard exists so that future code can't accidentally violate that.
• The integration test does not request offline_access because mockoidc's ScopesSupported rejects it as invalid_scope. mockoidc unconditionally issues RTs regardless of scope, so the regression assertion (leg 2 RT matches leg 1 RT) is unaffected — but reviewers should know the test does not exercise the realistic precondition that real IdPs gate RT issuance on offline_access.

🤖 Generated with Claude Code

Large PR Justification

• the new integration test is the culprit

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

[codecov]

Codecov Report

❌ Patch coverage is 82.44275% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.40%. Comparing base (b094f75) to head (f564b0f).
⚠️ Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/authserver/storage/redis.go	70.83%	14 Missing and 7 partials ⚠️
pkg/authserver/storage/memory.go	95.23%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5132      +/-   ##
==========================================
+ Coverage   67.31%   67.40%   +0.08%     
==========================================
  Files         598      598              
  Lines       60566    60656      +90     
==========================================
+ Hits        40768    40883     +115     
+ Misses      16706    16673      -33     
- Partials     3092     3100       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tgrunnagle]

Multi-Agent Consensus Review (MEDIUM findings only)

Agents consulted: oauth-flow, security, redis-storage, test-coverage, go-style, general-quality (6 specialists, parallel review)

A full consensus review surfaced 18 actionable findings. Posting only the MEDIUM-severity items here; the LOW findings are polish and didn't feel worth the inline noise on a focused fix PR.

MEDIUM Findings

#	Finding	Consensus	Action
F1	SessionExpiresAt dropped from returned record (Memory + Redis)	10/10	Fix — see inline suggestions
F7	Missing handler test — prior row with empty RefreshToken	9/10	Add table case

Overall

The carry-forward design is sound and the implementation is correct for the documented use case. Mirroring RefreshAndStore's preservation pattern at the cross-row level (with the UpstreamSubject defense-in-depth guard) is a sensible surgical fix for Root Cause B. Scope is one logical change, the integration-test harness (rtStrippingProxy) is genuine novel infrastructure, and the explicit deferral of Root Cause A is appropriate.

The latent bug worth fixing in this PR is F1: both backends silently omit SessionExpiresAt from the returned struct in GetLatestUpstreamTokensForUser. No production caller reads it today, but it's a contract-shaped trap for any future caller that uses this method as a substitute for GetUpstreamTokens — exactly the kind of expansion the deferred Root Cause A rekey will encourage. One-line fix per backend; suggestion blocks attached.

F7 is a test gap: the production guard prior.RefreshToken != "" (callback.go:187) is currently untested. The case matters in real chains because the carry-forward chain itself can leave rows with empty RTs, so the guard is load-bearing.

---

Generated with Claude Code

[jhrozek]

Thanks for the review. Both MEDIUM findings and both nits addressed — replied on each thread with specifics.