Skip to content

fix(keyring): clear stale access-token chunks instead of deleting the client secret#1527

Merged
ramya18101 merged 3 commits into
auth0:mainfrom
sparkling:fix/keyring-store-access-token
May 21, 2026
Merged

fix(keyring): clear stale access-token chunks instead of deleting the client secret#1527
ramya18101 merged 3 commits into
auth0:mainfrom
sparkling:fix/keyring-store-access-token

Conversation

@sparkling
Copy link
Copy Markdown

@sparkling sparkling commented May 19, 2026

Description

StoreAccessToken's "clear existing chunks" loop deleted the secretClientSecret key on every iteration instead of the indexed secretAccessToken chunks (introduced in #1358). This caused two failures:

  1. Stale chunks → corrupted token. Old access-token chunks were never cleared, so re-storing a shorter token left trailing chunks that concatenate into a malformed JWT → authentication token is corrupted.
  2. Machine logins couldn't refresh. The client secret was deleted immediately after a machine login stored it, so RegenerateAccessToken → GetClientSecret failed and client-credentials sessions broke at the first token expiry (and never auto-renewed).

The loop now deletes the indexed access-token chunks (matching DeleteSecretsForTenant and the store/get loops) and leaves the client secret untouched.

Fixes #1526

Testing

Added two regression tests in internal/keyring/keyring_test.go:

  • overwriting a multi-chunk token with a single-chunk token returns exactly the new token (no stale chunks left over)
  • StoreAccessToken does not delete the client secret

Both fail on main and pass with this change. Also verified end-to-end against a live tenant: a machine login followed by a forced token expiry now auto-renews silently instead of erroring with please re-authenticate.

Checklist

  • Regression tests added
  • go test ./internal/keyring/... passes
  • Change is minimal and matches existing patterns in the file

@sparkling sparkling requested a review from a team as a code owner May 19, 2026 22:23
@ramya18101
Copy link
Copy Markdown
Contributor

ramya18101 commented May 20, 2026
edited
Loading

Hi @sparkling 👋, This is a great catch!

Thanks for finding this and putting together.
Really appreciate you digging through the old PR and tracking down the root cause here.

Also please sign your commit!

@sparkling @bkiran6398
fix(keyring): clear stale access-token chunks instead of deleting the…
bb4e919 
… client secret

StoreAccessToken's "clear existing chunks" loop deleted the
secretClientSecret key on every iteration instead of the indexed
secretAccessToken chunks. Two consequences:

1. Stale access-token chunks were never cleared, so re-storing a shorter
   token left trailing chunks that concatenated into a malformed JWT,
   surfacing as "authentication token is corrupted".
2. The client secret was deleted immediately after a machine login
   stored it, so RegenerateAccessToken could no longer refresh the
   token and client-credentials sessions broke at the first expiry.

Delete the indexed access-token chunks (matching DeleteSecretsForTenant
and the store/get loops) and leave the client secret untouched. Adds
regression tests covering both failure modes.

Introduced in auth0#1358.
@bkiran6398 bkiran6398 force-pushed the fix/keyring-store-access-token branch from d075c00 to bb4e919 Compare May 21, 2026 08:51
@ramya18101 ramya18101 merged commit d8e9f8f into auth0:main May 21, 2026
6 checks passed
@ramya18101 ramya18101 mentioned this pull request May 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ramya18101 ramya18101 ramya18101 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

StoreAccessToken deletes the client secret instead of clearing stale access-token chunks

2 participants

@sparkling @ramya18101