Skip to content

fix: perform best effort cleanup for concurrently created refresh tokens#4851

Open
Danil-Grigorev wants to merge 1 commit into
dexidp:masterfrom
Danil-Grigorev:refresh-tokens-password-pileup-fix
Open

fix: perform best effort cleanup for concurrently created refresh tokens#4851
Danil-Grigorev wants to merge 1 commit into
dexidp:masterfrom
Danil-Grigorev:refresh-tokens-password-pileup-fix

Conversation

@Danil-Grigorev

@Danil-Grigorev Danil-Grigorev commented Jun 25, 2026

Copy link
Copy Markdown

Overview

In a highly concurrent environment, where a local caching of refresh tokens is not possible, current password grant handler logic consistently produces duplicate refresh token resources in etcd for the same client id.

What this PR does / why we need it

This PR attempts to address this issue, by performing a best effort cleanup for such cases, leaving the last successful concurrent requester win the race and clean the outdated ones from the storage backend during update handling.

With a local reproducer, no duplicate refresh tokens are created anymore, or getting cleaned up by garbage collection.

Without the change, from 10 concurrent uncached requests result in 7-8 refresh tokens created for a client in average.

Special notes for your reviewer

@Danil-Grigorev Danil-Grigorev force-pushed the refresh-tokens-password-pileup-fix branch from 8384bea to 5bba5d0 Compare June 25, 2026 22:50
Signed-off-by: Danil Grigorev <daniil.grigorev.dev@gmail.com>
@Danil-Grigorev Danil-Grigorev force-pushed the refresh-tokens-password-pileup-fix branch from 5bba5d0 to ffc1931 Compare June 26, 2026 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant