Conversation
rodrigobr-msft
left a comment
rodrigobr-msft
left a comment
There was a problem hiding this comment.
Hey, I think there was a miscommunication, as I've been working on this feature for a couple of days already: https://github.com/microsoft/Agents-for-python/tree/users/robrandao/oauth-improvements
All I need is to add tests for the above branch.
Anyways, the proposed changes I think would still run into race conditions, as multiple OAuthFlow objects could be instantiated from the same state and be completely unaware of each other before the continue_flow is called. Synchronization across instances of the app (across VMs/on the network) would be difficult to achieve, but within the same AgentApplication instance, I think it would be easiest if we placed the synchronization mechanism at the Authorization class level. I can add some of the changes you have here like the renaming of some of the instance variables in my current branch if you would like.
2 participants
This pull request introduces a deduplication mechanism for OAuth token exchange requests to prevent replay attacks and duplicate processing. The main changes include tracking processed token exchange IDs, handling duplicate requests gracefully, and periodically clearing the registry to avoid unbounded growth. Comprehensive tests have been added to verify these behaviors.
OAuth Token Exchange Deduplication
token_exchange_id_registry) to track processed token exchange IDs within theOAuthFlowclass, preventing duplicate token exchanges. The registry is cleared lazily based on a configurable interval to avoid memory growth. [1] [2]FlowErrorTag.DUPLICATE_EXCHANGE) if a replay is detected. [1] [2] [3] [4]Testing Improvements
Minor Code Quality Improvements
utils.py) and test classes. [1] [2] [3]