Summary
The OAuth2 token refresh flow in otdfctl/pkg/auth/refresh.go can hang indefinitely when tlsNoVerify is false. In that code path, no custom HTTP client is injected into the OAuth2 context, causing oauth2.Config.TokenSource(ctx, …).Token() to fall back to http.DefaultClient, which has no timeout configured. A stalled identity provider can block the CLI process indefinitely.
Steps to reproduce
- Configure a profile with access-token auth and a valid refresh token.
- Point the endpoint at a host that accepts TCP connections but never responds (simulating a stalled IDP).
- Run a command that triggers
RefreshAccessToken.
- Observe the CLI hangs with no timeout.
Proposed fix
- Add a
Timeout field (e.g. 30 * time.Second) to the *http.Client returned by utils.NewHTTPClient in otdfctl/pkg/utils.
- Remove the
tlsNoVerify guard in otdfctl/pkg/auth/refresh.go and call utils.NewHTTPClient(tlsNoVerify) unconditionally, injecting the result into the OAuth2 context before calling tokenSource.Token().
References
Summary
The OAuth2 token refresh flow in
otdfctl/pkg/auth/refresh.gocan hang indefinitely whentlsNoVerifyisfalse. In that code path, no custom HTTP client is injected into the OAuth2 context, causingoauth2.Config.TokenSource(ctx, …).Token()to fall back tohttp.DefaultClient, which has no timeout configured. A stalled identity provider can block the CLI process indefinitely.Steps to reproduce
RefreshAccessToken.Proposed fix
Timeoutfield (e.g.30 * time.Second) to the*http.Clientreturned byutils.NewHTTPClientinotdfctl/pkg/utils.tlsNoVerifyguard inotdfctl/pkg/auth/refresh.goand callutils.NewHTTPClient(tlsNoVerify)unconditionally, injecting the result into the OAuth2 context before callingtokenSource.Token().References