Only refresh OAuth tokens when expired and save in credentials.

dkocher · dkocher · commit d699b206038d · 2025-10-20T16:48:30.000+02:00
diff --git a/s3/src/main/java/ch/cyberduck/core/sts/STSAssumeRoleWithWebIdentityRequestInterceptor.java b/s3/src/main/java/ch/cyberduck/core/sts/STSAssumeRoleWithWebIdentityRequestInterceptor.java
@@ -61,7 +61,7 @@ public TemporaryAccessTokens refresh(final Credentials credentials) throws Backg
         try {
             final String arn = new ProxyPreferencesReader(host, credentials).getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn");
             log.debug("Use ARN {}", arn);
-            return tokens = this.assumeRoleWithWebIdentity(oauth.refresh(credentials.getOauth()), arn);
+            return tokens = this.assumeRoleWithWebIdentity(oauth.validate(credentials.getOauth()), arn);
         }
         finally {
             lock.unlock();
diff --git a/s3/src/test/java/ch/cyberduck/core/sts/AssumeRoleWithWebIdentityAuthenticationTest.java b/s3/src/test/java/ch/cyberduck/core/sts/AssumeRoleWithWebIdentityAuthenticationTest.java
@@ -54,12 +54,12 @@ public class AssumeRoleWithWebIdentityAuthenticationTest extends AbstractAssumeR
     public void testSuccessfulLogin() throws BackgroundException {
         final Protocol profile = new ProfilePlistReader(new ProtocolFactory(new HashSet<>(Collections.singleton(new S3Protocol())))).read(
                 AbstractAssumeRoleWithWebIdentityTest.class.getResourceAsStream("/S3 (OIDC).cyberduckprofile"));
-        final Host host = new Host(profile, profile.getDefaultHostname(), new Credentials("rouser", "rouser"));
+        final Credentials credentials = new Credentials("rouser", "rouser");
+        final Host host = new Host(profile, profile.getDefaultHostname(), credentials);
         final S3Session session = new S3Session(host);
         session.open(new DisabledProxyFinder(), new DisabledHostKeyCallback(), new DisabledLoginCallback(), new DisabledCancelCallback());
         session.login(new DisabledLoginCallback(), new DisabledCancelCallback());
 
-        final Credentials credentials = host.getCredentials();
         assertEquals("rouser", credentials.getUsername());
         assertEquals("rouser", credentials.getPassword());
 
@@ -98,18 +98,18 @@ public void testInvalidPassword() throws BackgroundException {
     public void testTokenRefresh() throws BackgroundException, InterruptedException {
         final Protocol profile = new ProfilePlistReader(new ProtocolFactory(new HashSet<>(Collections.singleton(new S3Protocol())))).read(
                 AbstractAssumeRoleWithWebIdentityTest.class.getResourceAsStream("/S3 (OIDC).cyberduckprofile"));
-        final Host host = new Host(profile, profile.getDefaultHostname(), new Credentials("rawuser", "rawuser"));
+        final Credentials credentials = new Credentials("rawuser", "rawuser");
+        final Host host = new Host(profile, profile.getDefaultHostname(), credentials);
         final S3Session session = new S3Session(host);
         session.open(new DisabledProxyFinder(), new DisabledHostKeyCallback(), new DisabledLoginCallback(), new DisabledCancelCallback());
         session.login(new DisabledLoginCallback(), new DisabledCancelCallback());
 
-        final Credentials credentials = host.getCredentials();
         final OAuthTokens oauth = credentials.getOauth();
         assertTrue(oauth.validate());
         final TemporaryAccessTokens tokens = credentials.getTokens();
         assertTrue(tokens.validate());
 
-        host.getCredentials().reset();
+        credentials.reset();
 
         Path container = new Path("cyberduckbucket", EnumSet.of(Path.Type.directory, Path.Type.volume));
         assertTrue(new S3FindFeature(session, new S3AccessControlListFeature(session)).find(container));
@@ -147,7 +147,7 @@ public void testLoginInvalidOAuthTokensLogin() throws Exception {
         session.login(new DisabledLoginCallback(), new DisabledCancelCallback());
         assertNotEquals(OAuthTokens.EMPTY, credentials.getOauth());
         assertNotEquals(TemporaryAccessTokens.EMPTY, credentials.getTokens());
-        host.getCredentials().reset();
+        credentials.reset();
         assertEquals(OAuthTokens.EMPTY, credentials.getOauth());
         assertEquals(TemporaryAccessTokens.EMPTY, credentials.getTokens());
         new S3BucketListService(session).list(
@@ -179,7 +179,7 @@ public void testBucketListInvalidOAuthTokensList() throws Exception {
                 new Path(String.valueOf(Path.DELIMITER), EnumSet.of(Path.Type.volume, Path.Type.directory)), new DisabledListProgressListener());
         assertNotEquals(OAuthTokens.EMPTY, credentials.getOauth());
         assertNotEquals(TemporaryAccessTokens.EMPTY, credentials.getTokens());
-        host.getCredentials().reset();
+        credentials.reset();
         assertEquals(OAuthTokens.EMPTY, credentials.getOauth());
         assertEquals(TemporaryAccessTokens.EMPTY, credentials.getTokens());
         new S3BucketListService(session).list(

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ public TemporaryAccessTokens refresh(final Credentials credentials) throws Backg`
`61`	`61`	`try {`
`62`	`62`	`final String arn = new ProxyPreferencesReader(host, credentials).getProperty(Profile.STS_ROLE_ARN_PROPERTY_KEY, "s3.assumerole.rolearn");`
`63`	`63`	`log.debug("Use ARN {}", arn);`
`64`		`- return tokens = this.assumeRoleWithWebIdentity(oauth.refresh(credentials.getOauth()), arn);`
	`64`	`+ return tokens = this.assumeRoleWithWebIdentity(oauth.validate(credentials.getOauth()), arn);`
`65`	`65`	`}`
`66`	`66`	`finally {`
`67`	`67`	`lock.unlock();`