Conversation
5-step plan covering config, refresh token store/generation, OpenAPI spec updates, HTTP handler wiring, and comprehensive tests. Also enriches CLAUDE.md with important file paths and token flow details for step agents. Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Replace in-memory refresh token cache with database-backed storage layer - Add refresh_token table schema to database/schema.go plan - Add RefreshTokenRepository interface and SqlRefreshTokenRepository to database/repository.go plan - Add RefreshTokenRow model to database/models.go plan - Add database repository tests to Step 5 - Require database connection when RefreshTokenEnabled is true (fail fast at startup) - Ensure tokens survive restarts and support horizontal scaling Co-Authored-By: Claude Opus 4.6 <[email protected]>
…-34/plan into ticket-34/work Reviewed-on: http://localhost:3001/general-agent-4/VCVerifier/pulls/1 Reviewed-by: wistefan <[email protected]>
Add RefreshTokenEnabled (bool, default false) and RefreshTokenExpiration (int, default 2880 minutes / 48 hours) to the Verifier config struct, along with a DefaultRefreshTokenExpirationMinutes named constant. Add TYPE_REFRESH_TOKEN = "refresh_token" grant type constant to common/metadata.go. Update existing config test expectations and add a dedicated TestRefreshTokenConfigDefaults test with a YAML fixture covering both default and explicit value parsing. Co-Authored-By: Claude Opus 4.6 <[email protected]>
…ion and constants' (#2) from ticket-34/step-1 into ticket-34/work Reviewed-on: http://localhost:3001/general-agent-4/VCVerifier/pulls/2 Reviewed-by: wistefan <[email protected]>
Implement Step 2 of the refresh token feature: database-backed storage for refresh tokens with single-use semantics and token rotation. - Add refresh_token table DDL to schema.go (PostgreSQL, MySQL, SQLite) - Add RefreshTokenRow model with JSON serialization helpers for scopes and credentials - Add RefreshTokenRepository interface and SqlRefreshTokenRepository with StoreRefreshToken, GetAndDeleteRefreshToken, DeleteExpiredTokens - Add ExchangeRefreshToken, CreateRefreshToken, IsRefreshTokenEnabled to the Verifier interface and CredentialVerifier implementation - Wire up refresh token repo in main.go when feature is enabled - Add comprehensive tests for repository (SQLite), verifier methods, and model serialization helpers Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Store full signed JWT string in RefreshTokenRow.JWTPayload instead of decomposed fields, so access tokens can be re-issued without re-applying credential inclusion configurations - Remove erroneous TestRefreshTokenFlatClaims_True test (FlatClaims belongs to ScopeEntryRow, not RefreshTokenRow) - Fix JWTPayload field documentation to accurately describe compact JWT serialization storage Co-Authored-By: Claude Opus 4.6 <[email protected]>
…token store and generation logic' (#3) from ticket-34/step-2 into ticket-34/work Reviewed-on: http://localhost:3001/general-agent-4/VCVerifier/pulls/3 Reviewed-by: wistefan <[email protected]>
Update TokenResponse struct with RefreshToken field (omitempty for backward compatibility) and extend the OpenAPI spec to document the new refresh_token grant type in TokenRequest and refresh_token field in both TokenRequest and TokenResponse schemas. Co-Authored-By: Claude Opus 4.6 <[email protected]>
…and OpenAPI spec' (#4) from ticket-34/step-3 into ticket-34/work Reviewed-on: http://localhost:3001/general-agent-4/VCVerifier/pulls/4 Reviewed-by: wistefan <[email protected]>
Connect refresh token generation and exchange to the HTTP layer: - Add grant_type=refresh_token handler that exchanges a valid refresh token for a new access token and rotated refresh token - Extend GetToken (authorization_code flow) to generate and return refresh tokens when the feature is enabled - Extend verifiyVPToken (vp_token and token-exchange flows) to include refresh tokens in responses when enabled - Add IsRefreshTokenEnabled() and CreateRefreshToken() to Verifier interface, called from the openapi layer - Store clientId in tokenStore so refresh tokens can be created during authorization_code exchange - Add comprehensive tests for all refresh token paths including enabled/disabled states, error propagation, and all grant types Co-Authored-By: Claude Opus 4.6 <[email protected]>
…n endpoint handlers' (#5) from ticket-34/step-4 into ticket-34/work Reviewed-on: http://localhost:3001/general-agent-4/VCVerifier/pulls/5 Reviewed-by: wistefan <[email protected]>
Cover all refresh token scenarios across three packages: - database: field round-trip, token isolation, mixed-expiry cleanup, table-driven store/retrieve, MySQL adapt - verifier: table-driven ExchangeRefreshToken (enabled/disabled/expired/ error paths), multi-chain rotation, CreateRefreshToken with expiration timestamp and enabled/disabled, RS256 signToken, rotation store failure - openapi: disabled grant types omit refresh_token, CreateRefreshToken failure degrades gracefully (access token still returned) Co-Authored-By: Claude Opus 4.6 <[email protected]>
…esh token flows' (#6) from ticket-34/step-5 into ticket-34/work Reviewed-on: http://localhost:3001/general-agent-4/VCVerifier/pulls/6 Reviewed-by: wistefan <[email protected]>
wistefan
added
the
patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added OAuth2 refresh token support to VCVerifier's token endpoint, per RFC 6749 Section 1.5. The feature is opt-in via configuration so existing deployments are unaffected.