Drone

OSS build fails to refresh Gitea OAuth tokens

Due to renew code being gated with build !oss (https://github.com/drone/drone/blob/1ce573320eafa7bae5125886040c5795e039b3d3/service/token/renew.go), Drone doesn’t ever refresh OAuth tokens. Which means after an hour after login (actual value depends on ACCESS_TOKEN_EXPIRATION_TIME configuration value on the Gitea side, this value can lowered to 30 to make reproduction of this problem easier), all requests from Drone to Gitea will fail with 403. Drone diagnostics are not very useful in this case, as it will say “404: Record not found”. Users will have to manually logout and login again to make Drone load repositories again.

I tried removing the renew_oss.go file and build !oss directive, and it fixed the problem. Drone started renewing tokens properly.

Is there any reason why renew code is gated with build !oss? It makes OAuth support pretty much broken.

my understanding is that you have to disable refresh token (or you have to set some special setting to ensure that gitea preserves old refresh tokens and does not replace in the database).

Are you saying that in order that to work, Gitea should return access tokens with infinite lifetime so refresh tokens won’t be necessary? It doesn’t seem to be supported in Gitea, although one can raise lifetime to large value so it would be practically infinite. Moreoever, this is global OAuth provider setting, and can’t be configured per-application.