signon: when access token fails for the first time, explicitly request refreshsignon-refresh

This is relevant for the rare situation where signon gave us an access token
that it considered up-to-date and the server rejected it. Without the flag,
signon might just give us the same token again.

One (rare) situation where this might (?) happen is when the clocks
and client and server are out of sync: then the client might think the
token is still valid while the server thinks that it has expired.

1 files changed, 5 insertions, 0 deletions

diff --git a/src/backends/signon/signon.cpp b/src/backends/signon/signon.cpp
index e473c69e..cf2311e7 100644
--- a/src/backends/signon/signon.cpp
+++ b/src/backends/signon/signon.cpp
@@ -90,6 +90,11 @@ public:
     {
         SE_LOG_DEBUG(NULL, "retrieving OAuth2 token, attempt %d", failedTokens);
 
+        // Refresh the access token instead of taking it from the cache when
+        // the previous access token was not accepted by the server.
+        g_hash_table_insert(m_sessionData, g_strdup("ForceTokenRefresh"),
+                            g_variant_ref_sink(g_variant_new_boolean(failedTokens == 1 ? TRUE : FALSE)));
+
         // Retry login if even the refreshed token failed.
         g_hash_table_insert(m_sessionData, g_strdup("UiPolicy"),
                             g_variant_ref_sink(g_variant_new_uint32(failedTokens >= 2 ? SIGNON_POLICY_REQUEST_PASSWORD : 0)));