Check if refresh token is decodable before decoding it

Author: jdavcs

lib/galaxy/authnz/custos_authnz.py

@@ -123,11 +123,17 @@ def refresh(self, trans, custos_authnz_token):
             return False
         if not custos_authnz_token.refresh_token:
             return False
-        refresh_token_decoded = self._decode_token_no_signature(custos_authnz_token.refresh_token)
-        # do not attempt to use refresh token that is already expired
-        if int(refresh_token_decoded["exp"]) <= int(time.time()):
-            # in the future we might want to log out the user here
-            return False
+
+        # Try to extract expiration date from the refresh token. If expired, do not refresh token.
+        try: 
+            refresh_token_decoded = self._decode_token_no_signature(custos_authnz_token.refresh_token)
+            # do not attempt to use refresh token that is already expired
+            if int(refresh_token_decoded["exp"]) <= int(time.time()):
+                # in the future we might want to log out the user here
+                return False
+        except jwt.exceptions.DecodeError:
+            log.error("Refresh token is non-decodable")
+
         oauth2_session = self._create_oauth2_session()
         token_endpoint = self.config.token_endpoint
         if self.config.iam_client_secret: