auth/oidc: fix eager token fetch at startup, add validation and e2e tests (#5234)

2026-04-28 20:19:10 +08:00 · 2026-03-15 22:29:45 +08:00
parent 94a631fe9c
commit ff4ad2f907
12 changed files with 885 additions and 35 deletions
--- a/Release.md
+++ b/Release.md
@@ -7,3 +7,4 @@
 * Kept proxy/visitor names as raw config names during completion; moved user-prefix handling to explicit wire-level naming logic.
 * Added `noweb` build tag to allow compiling without frontend assets. `make build` now auto-detects missing `web/*/dist` directories and skips embedding, so a fresh clone can build without running `make web` first. The dashboard gracefully returns 404 when assets are not embedded.
 * Improved config parsing errors: for `.toml` files, syntax errors now return immediately with parser position details (line/column when available) instead of falling through to YAML/JSON parsing, and TOML type mismatches report field-level errors without misleading line numbers.
+* OIDC auth now caches the access token and refreshes it before expiry, avoiding a new token request on every heartbeat. Falls back to per-request fetch when the provider omits `expires_in`.