workstation: per-user long-lived Claude token to end concurrent-refresh logout
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
A heavy user (emo) runs 8+ always-on `claude` agents + their t3-serve instance, all sharing one ~/.claude/.credentials.json. When the shared access token expires the processes refresh simultaneously; OAuth refresh-token rotation makes the losing writer persist an EMPTY refresh token, logging the user out roughly every access-token lifetime (~8h). Re-issuing the credential never sticks — the race recurs (this is why emo's "standalone token" fix kept regressing). Fix: an opt-in, per-user, non-rotating setup-token (sk-ant-oat01, ~1y, scope user:inference) kept in the user's OWN Vault path (field `setup_token`). claude-auth-sync materializes it to a user-owned ~/.config/claude-auth-sync/claude-oauth.env and, while it is present, SKIPS the rotating-credential validate/backup/restore (so no false WorkstationClaudeAuthInvalid). start-claude.sh and t3-serve@.service load it as CLAUDE_CODE_OAUTH_TOKEN, so every session of that user uses the non-rotating token and there is nothing to race on. Fail-safe + opt-in: with no `setup_token` in Vault, every path is a no-op, so users on the normal per-user Enterprise-SSO flow are unaffected. This is each user's OWN identity, never the forbidden shared CLAUDE_CODE_OAUTH_TOKEN. Runbook documents enable/disable/rotate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
3cc8f9f661
commit
c70810a51b
4 changed files with 117 additions and 2 deletions
|
|
@ -93,6 +93,15 @@ ensure_onboarding() {
|
|||
}
|
||||
ensure_onboarding
|
||||
|
||||
# Load a per-user long-lived CLAUDE_CODE_OAUTH_TOKEN if claude-auth-sync has
|
||||
# materialized one from this user's own Vault path. A non-rotating setup-token
|
||||
# sidesteps the shared ~/.claude/.credentials.json OAuth refresh-token race that
|
||||
# logs out users running many concurrent agents (interactive + t3 + always-on).
|
||||
# Absent file -> no-op (normal per-user Enterprise-SSO flow). The user's OWN
|
||||
# token; never shared between OS users.
|
||||
_oauth_env="$HOME/.config/claude-auth-sync/claude-oauth.env"
|
||||
if [ -r "$_oauth_env" ]; then set -a; . "$_oauth_env"; set +a; fi
|
||||
|
||||
# Deliberately not `exec` so we can branch on the exit code: clean quit ends the
|
||||
# pane (ttyd closes the terminal); a crash drops to a shell so the tmux session
|
||||
# isn't destroyed-and-recreated in a ttyd auto-reconnect loop.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue