projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
16306: Merge branch 'master'
[arvados.git] / lib / controller / localdb / login_oidc.go
diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index b74d22f8ead979e09686856b6b053c7f3c9250f2..5f96da56244325d86b3e9d4f252ec714f55f534c 100644 (file)
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -380,7 +380,7 @@ func (ta *oidcTokenAuthorizer) WrapCalls(origFunc api.RoutableFunc) api.Routable
 // if so, ensures that an api_client_authorizations row exists so that
 // RailsAPI will accept it as an Arvados token.
 func (ta *oidcTokenAuthorizer) registerToken(ctx context.Context, tok string) error {
-       if strings.HasPrefix(tok, "v2/") {
+       if tok == ta.ctrl.Cluster.SystemRootToken || strings.HasPrefix(tok, "v2/") {
                return nil
        }
        if cached, hit := ta.cache.Get(tok); !hit {
@@ -390,12 +390,11 @@ func (ta *oidcTokenAuthorizer) registerToken(ctx context.Context, tok string) er
                // cached negative result (value is expiry time)
                if time.Now().Before(exp) {
                        return nil
-               } else {
-                       ta.cache.Remove(tok)
                }
+               ta.cache.Remove(tok)
        } else {
                // cached positive result
-               aca := cached.(*arvados.APIClientAuthorization)
+               aca := cached.(arvados.APIClientAuthorization)
                var expiring bool
                if aca.ExpiresAt != "" {
                        t, err := time.Parse(time.RFC3339Nano, aca.ExpiresAt)