oauth2: harden token refresh parsing by erain · Pull Request #11618 · fluent/fluent-bit

erain · 2026-03-24T19:50:23Z

Problem

OAuth2 token refresh accepted partial or malformed responses and mutated the live token state while parsing.
That could mask refresh failures, leave Fluent Bit holding inconsistent credentials, or treat invalid expires_in values as usable.

Parse refresh responses into temporary values and update the OAuth2 context only after access_token, token_type, and expires_in all validate.
Reject malformed, negative, non-numeric, and too-short expires_in values while still accepting quoted numeric expirations and duplicate keys with last-value-wins behavior.
Extend the internal OAuth2 tests to cover transactional refresh updates, malformed payload rejection, duplicate keys, quoted expirations, and refresh flows with the stricter validation.

Bug Fixes
- Stricter OAuth2 token response validation: access token, token type and expires_in must be present and valid; default token_type/expires_in fallbacks removed.
- Improved error reporting and added bounds protection during parsing.
- Applies a 10% safety reduction to computed token lifetimes; parsing failures no longer overwrite existing token state.
Tests
- Replaced broad default-parsing test with focused tests for transactional updates, quoted expires_in, duplicate-key behavior, invalid expires_in cases, and adjusted mock server parameters.