Skip to content

[cli] refresh VERCEL_OIDC_TOKEN #13226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Apr 9, 2025
Merged

[cli] refresh VERCEL_OIDC_TOKEN #13226

merged 12 commits into from
Apr 9, 2025

Conversation

markandrus
Copy link
Contributor

@markandrus markandrus commented Apr 7, 2025
edited
Loading

If vc dev is left running for longer than 12 hours, the VERCEL_OIDC_TOKEN environment variable can expire, leading to errors in applications that depend on it.

This PR updates vc dev to proactively fetch a new VERCEL_OIDC_TOKEN 15 minutes before its expiry and restart the dev server, bypassing this issue. This is a simpler approach than the one in #13214, which updated .env.local on disk.

Note that if OIDC is disabled when vc dev is run or if OIDC is disabled at the time of a refresh, then refreshes will be disabled. Additionally, care is taken not to refresh VERCEL_OIDC_TOKEN too frequently (at most once every minute). This should not be a problem in practice, because the tokens issued in development have a 12 hour expiration.

For manual testing, I set the environment variables

export REFRESH_VERCEL_OIDC_TOKEN_BEFORE_EXPIRY_MILLIS=12h
export REFRESH_VERCEL_OIDC_TOKEN_THROTTLE_MILLIS=10s

to force vc dev to consider whatever token was fetched already expired and to speed up fetching the next one.

@markandrus markandrus requested review from trek and a team as code owners April 7, 2025 13:18
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Apr 7, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 7175457

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
vercel Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

trek
trek previously approved these changes Apr 7, 2025
View reviewed changes
@trek
Copy link
Contributor

trek commented Apr 7, 2025

I like this a lot more than #13214!

trek
trek previously approved these changes Apr 7, 2025
View reviewed changes
shaper
shaper previously approved these changes Apr 7, 2025
View reviewed changes
@markandrus markandrus dismissed stale reviews from shaper and trek via a9ca111 April 8, 2025 15:00
@markandrus markandrus enabled auto-merge April 8, 2025 15:44
@markandrus markandrus requested a review from trek April 8, 2025 15:52
@markandrus markandrus force-pushed the refresh-oidc-token-2 branch from 8da1ed3 to 7175457 Compare April 9, 2025 14:40
@socket-security Socket Security
Copy link

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@types/node@18.0.0 None 0 1.7 MB types

View full report↗︎

@markandrus
Copy link
Contributor Author

In order to avoid a test-e2e timeout related to the new functionality in vc dev, I udpated @types/node to 18 (matching engines in package.json) and use setTimeout from node:timers/promises, passing an AbortSignal. This has been available since Node.js 15, so I think it should be fine?

@markandrus markandrus added this pull request to the merge queue Apr 9, 2025
Merged via the queue into main with commit 590914a Apr 9, 2025
151 checks passed
@markandrus markandrus deleted the refresh-oidc-token-2 branch April 9, 2025 15:20
@vercel-release-bot vercel-release-bot mentioned this pull request Apr 9, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Apr 10, 2025
@vercel-release-bot @github-actions
Version Packages (#13230)
9b888c5 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## vercel@41.6.0

### Minor Changes

- `vercel dev` will now automatically refresh the `VERCEL_OIDC_TOKEN`
environment ([#13226](#13226))
    variable and restart the development server before it expires.

### Patch Changes

- fix(auth): fix rendering fallback verification link
([#13232](#13232))

- Updated dependencies
\[[`b696b2dc8e6a2bb6c9dc1c6ce99cddf375b61559`](b696b2d),
[`a640944c6e2c69afab5b7f03080d8363ef4bcf5b`](a640944),
[`f0730d4b77f158c75b119544ee8756a609f22fdf`](f0730d4)]:
    -   @vercel/next@4.7.7

## @vercel/firewall@0.1.7

### Patch Changes

- fix(readme): updated link to documentation about the SDK
([#13210](#13210))

## @vercel/next@4.7.7

### Patch Changes

- Fix for rewrite headers that ensures that we don't check post-non
rewrite operations (like adding headers).
([#13229](#13229))

- [next] ensure app router 404 page is still included in functions when
using pages i18n ([#13222](#13222))

- [next] improve error message for "No Next.js version"
([#13239](#13239))

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@chris-olszewski chris-olszewski mentioned this pull request Jun 11, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jun 11, 2025
@chris-olszewski
fix(vercel): exit dev command on error (#13438)
cff32d9 
Reenable test disabled in #13436

According to `git bisect` #13226
broke this behavior. Unsure of how the passed on CI/up until recently as
it was definitely broken.

It looks like the `AbortController` prevented the process from exiting.
QuietCraftsmanship pushed a commit to QuietCraftsmanship/Vercel that referenced this pull request Jul 6, 2025
@github-actions
Version Packages (#13230)
68ce70f 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## vercel@41.6.0

### Minor Changes

- `vercel dev` will now automatically refresh the `VERCEL_OIDC_TOKEN`
environment ([#13226](vercel/vercel#13226))
    variable and restart the development server before it expires.

### Patch Changes

- fix(auth): fix rendering fallback verification link
([#13232](vercel/vercel#13232))

- Updated dependencies
\[[`8e1620805349484a3ee7944c4076c5d2c6f19ecc`](vercel/vercel@8e16208),
[`134ea04feb1d534c6e6ebba8fdb2c698dc9477cf`](vercel/vercel@134ea04),
[`d24262e058ee55fedfd03ab8f8197f840cd9c282`](vercel/vercel@d24262e)]:
    -   @vercel/next@4.7.7

## @vercel/firewall@0.1.7

### Patch Changes

- fix(readme): updated link to documentation about the SDK
([#13210](vercel/vercel#13210))

## @vercel/next@4.7.7

### Patch Changes

- Fix for rewrite headers that ensures that we don't check post-non
rewrite operations (like adding headers).
([#13229](vercel/vercel#13229))

- [next] ensure app router 404 page is still included in functions when
using pages i18n ([#13222](vercel/vercel#13222))

- [next] improve error message for "No Next.js version"
([#13239](vercel/vercel#13239))

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
QuietCraftsmanship pushed a commit to QuietCraftsmanship/Vercel that referenced this pull request Jul 6, 2025
@chris-olszewski
fix(vercel): exit dev command on error (#13438)
29089da 
Reenable test disabled in #13436

According to `git bisect` vercel/vercel#13226
broke this behavior. Unsure of how the passed on CI/up until recently as
it was definitely broken.

It looks like the `AbortController` prevented the process from exiting.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shaper shaper shaper left review comments

@balazsorban44 balazsorban44 Awaiting requested review from balazsorban44

+1 more reviewer

@trek trek trek approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@markandrus @trek @shaper