Do not attempt to use a refresh token that is non-decodable

jdavcs · jdavcs · commit f39484cfcdc8 · 2025-08-29T11:30:24.000-04:00
diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py
@@ -133,6 +133,8 @@ def refresh(self, trans, custos_authnz_token):
                 return False
         except jwt.exceptions.DecodeError:
             log.error("Refresh token is non-decodable")
+            # If the refresh token is non-decodable, we do not use it. See discussion in https://github.com/galaxyproject/galaxy/pull/20821
+            return False
 
         oauth2_session = self._create_oauth2_session()
         token_endpoint = self.config.token_endpoint
