X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f1f8e6488da533641dc83f157df1313c352ee3fe..6bf9e1a4b5640f3cdd057810f0c9b8a945bb88bd:/lib/controller/localdb/login_oidc.go?ds=sidebyside

diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index b74d22f8ea..5f96da5624 100644
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -380,7 +380,7 @@ func (ta *oidcTokenAuthorizer) WrapCalls(origFunc api.RoutableFunc) api.Routable
 // if so, ensures that an api_client_authorizations row exists so that
 // RailsAPI will accept it as an Arvados token.
 func (ta *oidcTokenAuthorizer) registerToken(ctx context.Context, tok string) error {
-	if strings.HasPrefix(tok, "v2/") {
+	if tok == ta.ctrl.Cluster.SystemRootToken || strings.HasPrefix(tok, "v2/") {
 		return nil
 	}
 	if cached, hit := ta.cache.Get(tok); !hit {
@@ -390,12 +390,11 @@ func (ta *oidcTokenAuthorizer) registerToken(ctx context.Context, tok string) er
 		// cached negative result (value is expiry time)
 		if time.Now().Before(exp) {
 			return nil
-		} else {
-			ta.cache.Remove(tok)
 		}
+		ta.cache.Remove(tok)
 	} else {
 		// cached positive result
-		aca := cached.(*arvados.APIClientAuthorization)
+		aca := cached.(arvados.APIClientAuthorization)
 		var expiring bool
 		if aca.ExpiresAt != "" {
 			t, err := time.Parse(time.RFC3339Nano, aca.ExpiresAt)