Skip to content

Recover agent from expired gRPC access token#6727

Open
OfficialOzzy wants to merge 2 commits into
woodpecker-ci:mainfrom
OfficialOzzy:fix/agent-expired-token-recovery
Open

Recover agent from expired gRPC access token#6727
OfficialOzzy wants to merge 2 commits into
woodpecker-ci:mainfrom
OfficialOzzy:fix/agent-expired-token-recovery

Conversation

@OfficialOzzy

Copy link
Copy Markdown

Summary

Fixes an issue where an agent could get permanently stuck using an expired gRPC access token.

The agent stored its access token as a plain string refreshed only on a 30-minute timer. When the server rejected a token with codes.Unauthenticated (typically because it expired), there was no recovery path: the error was classified as permanent, so the agent's RPC loops (next(), report_health(), workflow init/wait, …) kept retrying with the dead token and never recovered, orphaning queued/pending workflows. The token field was also read and written across goroutines without synchronization.

Changes

  • agent/rpc/auth_interceptor.go — the access token is now guarded by a sync.RWMutex (Token() / setToken()). A new exported RefreshToken(ctx, staleToken) forces re-authentication; a refreshMu serializes it with the background refresh timer, and the staleToken check collapses a burst of concurrent refreshes into a single Auth call (no stampede). No token material is logged.
  • agent/rpc/client_grpc.go — new optional tokenRefresher wired via SetAuthRefresher. classifyRPCErr now treats codes.Unauthenticated as retryable, and withAuthRefresh re-authenticates and lets backoff retry with the fresh token, bounded by maxAuthRefreshes so a genuinely bad/revoked secret cannot loop forever (even with an infinite connection-retry timeout). When no refresher is configured the code stays permanent — preserving previous behavior.
  • cmd/agent/core/agent.go — wires the auth interceptor into the client.

Behavior / config

No public configuration changes. The existing 30-minute refresh timer still handles the normal case; this adds a reactive safety net for cases the timer path missed (e.g. server restart during a refresh window).

Tests

  • TestExpiredTokenRecovery — over an in-process gRPC server, an agent starting with a rejected (expired) token re-authenticates and the retried RPC succeeds.
  • TestRefreshTokenDedup — concurrent refreshes sharing a stale token collapse into a single re-auth.
  • TestWithAuthRefresh — recovery-after-refresh, give-up-after-budget, refresh-failure-stays-retryable, non-auth-errors pass through, nil-refresher stays permanent.
  • TestAuthInterceptorTokenConcurrency — token access is race-free under -race.

All pass under make test-agent and make lint (golangci-lint) is clean.

Closes #4144

OfficialOzzy and others added 2 commits June 14, 2026 06:18
The agent stored its gRPC access token as a plain string refreshed only on
a 30-minute timer. When the server rejected a token with codes.Unauthenticated
(typically because it expired), there was no recovery path: the error was
classified as permanent, so the agent's RPC loops kept retrying with the dead
token and could orphan queued workflows. The token field was also read and
written across goroutines without synchronization.

This makes token access concurrency-safe and adds on-demand re-authentication:

- AuthInterceptor guards the token with a RWMutex and exposes Token() and a new
  RefreshToken(ctx, staleToken) that serializes re-auth (refreshMu) and dedups
  concurrent callers via the stale-token check to avoid an auth stampede.
- The RPC client gains an optional tokenRefresher (SetAuthRefresher). On
  codes.Unauthenticated, withAuthRefresh re-authenticates and lets backoff retry
  with the fresh token, bounded by maxAuthRefreshes so a genuinely bad secret
  cannot loop forever. classifyRPCErr now treats Unauthenticated as retryable;
  with no refresher configured it stays permanent (previous behavior).

Adds regression tests: expired-token recovery over an in-process gRPC server,
concurrent-refresh dedup, refresh exhaustion, and a token-access race test.

Closes woodpecker-ci#4144

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

// refreshMu serializes re-authentication so that a burst of RPCs failing
// with an expired token does not trigger a stampede of Auth calls.
refreshMu sync.Mutex

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why have two mutex, can we just have accessTokenLock ?

@6543 6543 added bug Something isn't working agent labels Jun 15, 2026
@6543

6543 commented Jun 15, 2026

Copy link
Copy Markdown
Member

... so the agent's RPC loops (next(), report_health(), workflow init/wait, …) kept retrying with the dead token and never recovered ...

in case the agent got deleted server side, the agent should not retry but exits with error ... we should handle that case propperly too!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

agent bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

agent connection seems broken, rpc access token expired

2 participants