support HTTP retries and return HTTP status from oauth2_token_verify

- http: add support for HTTP retries (default 1) and HTTP retry interval
(300 ms default)
- api: return HTTP status code from oauth2_token_verify

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,7 @@
+12/21/2025
+- http: add support for HTTP retries (default 1) and HTTP retry interval (300 ms default)
+- api: return HTTP status code from oauth2_token_verify
+
 08/28/2025
 - add oauth2_ipc_thread_mutex_t and use it for Redis, cURL and global lists
   to improve performance across multiple processes running on the same host

include/oauth2/cfg.h

@@ -133,6 +133,10 @@ oauth2_flag_t
 oauth2_cfg_endpoint_get_ssl_verify(const oauth2_cfg_endpoint_t *cfg);
 oauth2_uint_t
 oauth2_cfg_endpoint_get_http_timeout(const oauth2_cfg_endpoint_t *cfg);
+oauth2_uint_t
+oauth2_cfg_endpoint_get_http_retries(const oauth2_cfg_endpoint_t *cfg);
+oauth2_uint_t
+oauth2_cfg_endpoint_get_http_retry_interval(const oauth2_cfg_endpoint_t *cfg);
 const char *
 oauth2_cfg_endpoint_get_outgoing_proxy(const oauth2_cfg_endpoint_t *cfg);
 

include/oauth2/http.h

@@ -213,6 +213,8 @@ OAUTH2_TYPE_DECLARE_MEMBER_SET(http, call_ctx, ca_info, char *)
 OAUTH2_TYPE_DECLARE_MEMBER_SET(http, call_ctx, ssl_cert, char *)
 OAUTH2_TYPE_DECLARE_MEMBER_SET(http, call_ctx, ssl_key, char *)
 OAUTH2_TYPE_DECLARE_MEMBER_SET(http, call_ctx, timeout, int)
+OAUTH2_TYPE_DECLARE_MEMBER_SET(http, call_ctx, retries, int)
+OAUTH2_TYPE_DECLARE_MEMBER_SET(http, call_ctx, retry_interval, int)
 OAUTH2_TYPE_DECLARE_MEMBER_SET(http, call_ctx, ssl_verify, bool)
 OAUTH2_MEMBER_LIST_DECLARE_SET_UNSET_ADD_GET(http, call_ctx, cookie)
 OAUTH2_MEMBER_LIST_DECLARE_SET_UNSET_ADD_GET(http, call_ctx, hdr)

include/oauth2/oauth2.h

@@ -78,6 +78,7 @@ bool oauth2_http_ctx_auth_add(oauth2_log_t *log, oauth2_http_call_ctx_t *ctx,
 
 bool oauth2_token_verify(oauth2_log_t *log, oauth2_http_request_t *request,
 			 oauth2_cfg_token_verify_t *verify, const char *token,
-			 json_t **json_payload);
+			 json_t **json_payload,
+			 oauth2_http_status_code_t *status_code);
 
 #endif /* _OAUTH2_H_ */

include/oauth2/openidc.h

@@ -118,6 +118,9 @@ OAUTH2_TYPE_DECLARE_MEMBER_SET_GET(openidc, client, token_endpoint_auth,
 				   oauth2_cfg_endpoint_auth_t *)
 OAUTH2_TYPE_DECLARE_MEMBER_SET_GET(openidc, client, ssl_verify, oauth2_flag_t)
 OAUTH2_TYPE_DECLARE_MEMBER_SET_GET(openidc, client, http_timeout, oauth2_uint_t)
+OAUTH2_TYPE_DECLARE_MEMBER_SET_GET(openidc, client, http_retries, oauth2_uint_t)
+OAUTH2_TYPE_DECLARE_MEMBER_SET_GET(openidc, client, http_retry_interval,
+				   oauth2_uint_t)
 
 char *oauth2_openidc_client_set_options(oauth2_log_t *log,
 					oauth2_cfg_openidc_t *cfg,

include/oauth2/util.h

@@ -134,6 +134,7 @@ char *oauth2_strdup(const char *src);
 char *oauth2_strndup(const char *src, size_t len);
 char *oauth2_stradd(char *src, const char *add1, const char *add2,
 		    const char *add3);
+char *oauth2_intadd(char *src, const char *add1, const char *add2, int i);
 char *oauth2_getword(const char **line, char stop);
 
 size_t oauth2_base64url_encode(oauth2_log_t *log, const uint8_t *src,

src/cfg/proto_cfg.c

@@ -40,6 +40,8 @@ oauth2_cfg_endpoint_t *oauth2_cfg_endpoint_init(oauth2_log_t *log)
 	endpoint->auth = NULL;
 	endpoint->ssl_verify = OAUTH2_CFG_FLAG_UNSET;
 	endpoint->http_timeout = OAUTH2_CFG_UINT_UNSET;
+	endpoint->http_retries = OAUTH2_CFG_UINT_UNSET;
+	endpoint->http_retry_interval = OAUTH2_CFG_UINT_UNSET;
 	endpoint->outgoing_proxy = NULL;
 
 end:
@@ -80,6 +82,8 @@ oauth2_cfg_endpoint_clone(oauth2_log_t *log, const oauth2_cfg_endpoint_t *src)
 	dst->auth = oauth2_cfg_endpoint_auth_clone(log, src->auth);
 	dst->ssl_verify = src->ssl_verify;
 	dst->http_timeout = src->http_timeout;
+	dst->http_retries = src->http_retries;
+	dst->http_retry_interval = src->http_retry_interval;
 	dst->outgoing_proxy = oauth2_strdup(src->outgoing_proxy);
 
 end:
@@ -88,6 +92,8 @@ oauth2_cfg_endpoint_clone(oauth2_log_t *log, const oauth2_cfg_endpoint_t *src)
 
 #define OAUTH2_CFG_ENDPOINT_SSL_VERIFY_DEFAULT 1
 #define OAUTH2_CFG_ENDPOINT_HTTP_TIMEOUT_DEFAULT 20
+#define OAUTH2_CFG_ENDPOINT_HTTP_RETRIES_DEFAULT 1
+#define OAUTH2_CFG_ENDPOINT_HTTP_RETRY_INTERVAL_DEFAULT 300
 
 char *oauth2_cfg_set_endpoint(oauth2_log_t *log, oauth2_cfg_endpoint_t *cfg,
 			      const char *url, const oauth2_nv_list_t *params,
@@ -144,6 +150,29 @@ char *oauth2_cfg_set_endpoint(oauth2_log_t *log, oauth2_cfg_endpoint_t *cfg,
 	}
 	oauth2_mem_free(key);
 
+	key = oauth2_stradd(NULL, prefix ? prefix : NULL, prefix ? "." : NULL,
+			    "http_retries");
+	value = oauth2_nv_list_get(log, params, key);
+	if (value) {
+		rv = oauth2_strdup(oauth2_cfg_set_uint_slot(
+		    cfg, offsetof(oauth2_cfg_endpoint_t, http_retries), value));
+		if (rv)
+			goto end;
+	}
+	oauth2_mem_free(key);
+
+	key = oauth2_stradd(NULL, prefix ? prefix : NULL, prefix ? "." : NULL,
+			    "http_retry_interval");
+	value = oauth2_nv_list_get(log, params, key);
+	if (value) {
+		rv = oauth2_strdup(oauth2_cfg_set_uint_slot(
+		    cfg, offsetof(oauth2_cfg_endpoint_t, http_retry_interval),
+		    value));
+		if (rv)
+			goto end;
+	}
+	oauth2_mem_free(key);
+
 	key = oauth2_stradd(NULL, prefix ? prefix : NULL, prefix ? "." : NULL,
 			    "outgoing_proxy");
 	value = oauth2_nv_list_get(log, params, key);
@@ -202,6 +231,23 @@ oauth2_cfg_endpoint_get_http_timeout(const oauth2_cfg_endpoint_t *cfg)
 	return cfg->http_timeout;
 }
 
+oauth2_uint_t
+oauth2_cfg_endpoint_get_http_retries(const oauth2_cfg_endpoint_t *cfg)
+{
+	if ((cfg == NULL) || (cfg->http_retries == OAUTH2_CFG_UINT_UNSET))
+		return OAUTH2_CFG_ENDPOINT_HTTP_RETRIES_DEFAULT;
+	return cfg->http_retries;
+}
+
+oauth2_uint_t
+oauth2_cfg_endpoint_get_http_retry_interval(const oauth2_cfg_endpoint_t *cfg)
+{
+	if ((cfg == NULL) ||
+	    (cfg->http_retry_interval == OAUTH2_CFG_UINT_UNSET))
+		return OAUTH2_CFG_ENDPOINT_HTTP_RETRY_INTERVAL_DEFAULT;
+	return cfg->http_retry_interval;
+}
+
 const char *
 oauth2_cfg_endpoint_get_outgoing_proxy(const oauth2_cfg_endpoint_t *cfg)
 {

src/cfg_int.h

@@ -48,6 +48,8 @@ typedef struct oauth2_cfg_endpoint_t {
 	oauth2_cfg_endpoint_auth_t *auth;
 	oauth2_flag_t ssl_verify;
 	oauth2_uint_t http_timeout;
+	oauth2_uint_t http_retries;
+	oauth2_uint_t http_retry_interval;
 	char *outgoing_proxy;
 } oauth2_cfg_endpoint_t;
 

src/http.c

@@ -21,6 +21,7 @@
 #include <curl/curl.h>
 #include <stdio.h>
 #include <string.h>
+#include <unistd.h>
 
 #include "oauth2/http.h"
 #include "oauth2/mem.h"
@@ -604,6 +605,8 @@ typedef struct oauth2_http_call_ctx_t {
 	char *basic_auth_password;
 	char *bearer_token;
 	int timeout;
+	int retries;
+	int retry_interval;
 	bool ssl_verify;
 	char *outgoing_proxy;
 	oauth2_nv_list_t *cookie;
@@ -615,6 +618,8 @@ typedef struct oauth2_http_call_ctx_t {
 } oauth2_http_call_ctx_t;
 
 #define OAUTH2_HTTP_CALL_TIMEOUT_DEFAULT 15
+#define OAUTH2_HTTP_CALL_RETRIES_DEFAULT 1
+#define OAUTH2_HTTP_CALL_RETRY_INTERVAL_DEFAULT 300
 #define OAUTH2_HTTP_CALL_SSL_VERIFY_DEFAULT true
 
 oauth2_http_call_ctx_t *oauth2_http_call_ctx_init(oauth2_log_t *log)
@@ -628,6 +633,10 @@ oauth2_http_call_ctx_t *oauth2_http_call_ctx_init(oauth2_log_t *log)
 
 	oauth2_http_call_ctx_timeout_set(log, ctx,
 					 OAUTH2_HTTP_CALL_TIMEOUT_DEFAULT);
+	oauth2_http_call_ctx_retries_set(log, ctx,
+					 OAUTH2_HTTP_CALL_RETRIES_DEFAULT);
+	oauth2_http_call_ctx_retry_interval_set(
+	    log, ctx, OAUTH2_HTTP_CALL_RETRY_INTERVAL_DEFAULT);
 	oauth2_http_call_ctx_ssl_verify_set(
 	    log, ctx, OAUTH2_HTTP_CALL_SSL_VERIFY_DEFAULT);
 	oauth2_http_call_ctx_outgoing_proxy_set(log, ctx, NULL);
@@ -680,6 +689,8 @@ void oauth2_http_call_ctx_free(oauth2_log_t *log, oauth2_http_call_ctx_t *ctx)
 }
 
 _OAUTH2_TYPE_IMPLEMENT_MEMBER_SET(http, call_ctx, timeout, int, integer)
+_OAUTH2_TYPE_IMPLEMENT_MEMBER_SET(http, call_ctx, retries, int, integer)
+_OAUTH2_TYPE_IMPLEMENT_MEMBER_SET(http, call_ctx, retry_interval, int, integer)
 _OAUTH2_TYPE_IMPLEMENT_MEMBER_SET(http, call_ctx, ssl_verify, bool, bln)
 _OAUTH2_TYPE_IMPLEMENT_MEMBER_SET(http, call_ctx, outgoing_proxy, char *, str)
 _OAUTH2_TYPE_IMPLEMENT_MEMBER_SET(http, call_ctx, ca_info, char *, str)
@@ -770,6 +781,13 @@ static char *_oauth2_http_call_ctx2s(oauth2_log_t *log,
 		ctx->to_str = oauth2_stradd(ctx->to_str, " ssl_key",
 					    _OAUTH2_STR_EQUAL, ctx->ssl_key);
 
+	ctx->to_str = oauth2_intadd(ctx->to_str, " timeout", _OAUTH2_STR_EQUAL,
+				    ctx->timeout);
+	ctx->to_str = oauth2_intadd(ctx->to_str, " retries", _OAUTH2_STR_EQUAL,
+				    ctx->retries);
+	ctx->to_str = oauth2_intadd(ctx->to_str, " retry_interval",
+				    _OAUTH2_STR_EQUAL, ctx->retry_interval);
+
 	ptr = oauth2_nv_list2s(log, ctx->hdr);
 	if (ptr) {
 		ctx->to_str =
@@ -970,6 +988,8 @@ bool oauth2_http_call(oauth2_log_t *log, const char *url, const char *data,
 	bool rc = false;
 	char *str = NULL;
 	long response_code = 0;
+	int i = 0;
+	int retries = 1;
 
 	char err[CURL_ERROR_SIZE];
 	CURL *curl = NULL;
@@ -1095,29 +1115,54 @@ bool oauth2_http_call(oauth2_log_t *log, const char *url, const char *data,
 
 	curl_easy_setopt(curl, CURLOPT_URL, url);
 
-	errornum = curl_easy_perform(curl);
-	if (errornum != CURLE_OK) {
-		oauth2_error(log, "curl_easy_perform() failed on: %s (%s: %s)",
-			     url, curl_easy_strerror(errornum),
-			     err[0] ? err : "");
-		if (errornum == CURLE_OPERATION_TIMEDOUT)
+	if (ctx)
+		retries = ctx->retries;
+
+	oauth2_debug(log, "looping: i=%d, retries=%d", i, retries);
+
+	for (i = 0; i <= retries; i++) {
+		oauth2_debug(log, "looping: i=%d, retries=%d", i, retries);
+		errornum = curl_easy_perform(curl);
+		if (errornum == CURLE_OK) {
+			rc = true;
+			break;
+		}
+		if (errornum == CURLE_OPERATION_TIMEDOUT) {
+			/* in case of a request/transfer timeout (which includes
+			 * the connect timeout) we'll not retry */
+			oauth2_error(log,
+				     "curl_easy_perform failed with a timeout "
+				     "for %s: [%s; %s]; won't retry",
+				     url, curl_easy_strerror(errornum),
+				     err[0] ? err : "");
 			// 408 Request Timeout
 			// 504 Gateway Timeout
 			*status_code = 504;
-		goto end;
+			break;
+		}
+		oauth2_error(
+		    log,
+		    "curl_easy_perform(%d/%d) failed for: %s with [%s: %s]",
+		    i + 1, retries + 1, url, curl_easy_strerror(errornum),
+		    err[0] ? err : "");
+		/* in case of a connectivity/network glitch we'll back off
+		 * before retrying */
+		if (i < retries)
+			usleep((ctx ? ctx->retry_interval : 300) * 1000);
 	}
 
 	curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &response_code);
 	oauth2_debug(log, "HTTP response code=%ld", response_code);
 	if (status_code)
 		*status_code = (oauth2_uint_t)response_code;
 
+	if (rc == false)
+		goto end;
+
 	*response = oauth2_mem_alloc(buf.size + 1);
 	strncpy(*response, buf.memory, buf.size);
 	(*response)[buf.size] = '\0';
 
-	rc = true;
-
 end:
 
 	if (buf.memory)
@@ -1126,8 +1171,9 @@ bool oauth2_http_call(oauth2_log_t *log, const char *url, const char *data,
 		curl_slist_free_all(h_list);
 	curl_easy_cleanup(curl);
 
-	oauth2_debug(log, "leave [%d]: %s", rc,
-		     (response && *response) ? *response : "(null)");
+	oauth2_debug(log, "leave [%d]: %s (status=%d)", rc,
+		     (response && *response) ? *response : "(null)",
+		     status_code ? *status_code : -1);
 
 	return rc;
 }

src/oauth2.c

@@ -864,7 +864,8 @@ static bool oauth2_mtls_token_verify(oauth2_log_t *log,
 
 bool oauth2_token_verify(oauth2_log_t *log, oauth2_http_request_t *request,
 			 oauth2_cfg_token_verify_t *verify, const char *token,
-			 json_t **json_payload)
+			 json_t **json_payload,
+			 oauth2_http_status_code_t *status_code)
 {
 
 	bool rc = false;