fix(cloud-tests): add OAuth token auto-refresh to Azure remediation#2564
Merged
fix(cloud-tests): add OAuth token auto-refresh to Azure remediation#2564
Conversation
Azure remediation was using getDecryptedCredentials() which returns raw stored tokens without checking expiry or refreshing. This caused "OAuth token expired" errors and connection status changes to 'error'. Now uses getValidAzureToken() (mirrors GCP's getValidGcpToken() pattern): - Checks token expiry with 5-minute buffer - Auto-refreshes via OAuth refresh_token if expired - Falls back to legacy service principal flow - Applied to resolveContext (preview/execute) and rollback GCP already had this pattern. AWS uses IAM roles (no expiry issue). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
…ging Three issues fixed in the credential vault: 1. No retry on refresh failure — a single transient 400/401 from Google/Microsoft would permanently kill the connection. Now retries once after 2s before marking as error. 2. Error response body was discarded — logged "HTTP 400" but threw away the actual error from the provider (e.g., "invalid_grant"). Now logs the full response body for debugging. 3. getDecryptedCredentials ignored activeCredentialVersionId — always fetched by highest version number instead of the explicitly marked active version. Now prefers activeCredentialVersionId with fallback. These affect ALL OAuth integrations (GCP, Azure, Slack, Google Workspace, etc.), not just cloud tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
|
🎉 This PR is included in version 3.22.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Azure remediation was using
getDecryptedCredentials()which returns raw stored tokens without checking expiry or refreshing. This caused "OAuth token expired" errors and connections getting marked aserrorduring remediation.getValidAzureToken()method that auto-refreshes expired OAuth tokens (mirrors GCP's existinggetValidGcpToken()pattern)resolveContext(preview + execute) androllbackRemediationTest plan
🤖 Generated with Claude Code
Summary by cubic
Fixes Azure remediation failures by auto-refreshing expired OAuth tokens in preview, execute, and rollback, and ensures the connection is a valid, active Azure link. Also makes the OAuth refresh flow more robust across all integrations.
activeCredentialVersionId, retry once after 2s, log provider error body, and mark connection as error on 400/401/403.Written for commit 3f17765. Summary will update on new commits.