Skip to content

fix: persist tokens after refresh #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
scotwells merged 2 commits into from
Jan 17, 2026
Merged

fix: persist tokens after refresh #66

scotwells merged 2 commits into from
Jan 17, 2026
+68 −57

Conversation

@scotwells
Copy link
Contributor

@scotwells scotwells commented Jan 17, 2026

We were encountering an issue with users getting error messages after they've refreshed their access token. Our access tokens are valid for 12 hours. Trying to use datumctl after the access token expired resulted in my token being refreshed but subsequent commands failing with an invalid refresh token error.

$ datumctl activity query --organization datum --limit 10                                               
TIMESTAMP             VERB   USER                    NAMESPACE   RESOURCE        NAME    STATUS
2026-01-17 11:19:18   get    auth-provider-openfga               organizations   datum   200
...

$ datumctl activity query --organization datum --limit 10
error: query failed: Post "https://api.datum.net/apis/resourcemanager.miloapis.com/v1alpha1/organizations/datum/control-plane/apis/activity.miloapis.com/v1alpha1/auditlogqueries": oauth2: "invalid_request" "Errors.OIDCSession.RefreshTokenInvalid"

I was able to trace this down to the new access token and refresh token not being persisted in the keyring after a refresh occurred. This was resulting in an invalid refresh token error because the previous refresh token that existed in the keychain was revoked after a new token was issued.

I fixed this by introducing a new TokenSource that automatically refreshes tokens and persists the updated tokens back into the keychain.

Other changes:

  • I adjusted the error messaging so the user will be given a friendly error message if the refresh token is not valid and they need to re-authenticate.
  • I modified the get-token command to use the new token source

@scotwells
fix: persist tokens after refresh
14c5626 
We were encountering an issue with users getting error messages after
they've refreshed their access token. I was able to trace this down to
the new access token and refresh token not being persisted in the
keyring after a refresh occurred.

This was resulting in an invalid refresh token error because the
previous refresh token that existed in the keychain was revoked after a
new token was issued.

I also adjusted the error messaging so the user will be given a friendly
error message if the refresh token is not valid and they need to
re-authenticate.
@scotwells scotwells merged commit 74064be into main Jan 17, 2026
2 checks passed
@scotwells scotwells deleted the fix/persist-access-token-after-refresh branch January 17, 2026 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ecv ecv ecv approved these changes

@zachsmith1 zachsmith1 zachsmith1 approved these changes

@drewr drewr Awaiting requested review from drewr

@gianarb gianarb Awaiting requested review from gianarb

@OscarLlamas6 OscarLlamas6 Awaiting requested review from OscarLlamas6

@JoseSzycho JoseSzycho Awaiting requested review from JoseSzycho

@cc-datum cc-datum Awaiting requested review from cc-datum

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@scotwells @ecv @zachsmith1