ChallengeHardPython

OAuth Token Refresh Job

Scenario

A daily background job refreshes OAuth access tokens for registered third-party integrations. It exchanges refresh tokens with the OAuth provider, persists new credentials, and writes an audit record for compliance review.

Business expectation

New tokens must be persisted to the credential store before the old refresh token is revoked with the provider. If the store write fails, the old refresh token must still be valid so the job can retry. Revoking the old token before the new one is safely stored leaves the integration with no valid credentials.

Security expectations

Audit records are written to a shared logging backend with a 90-day retention period. Only token_id, service name, and expiry timestamp may appear. Token values — access tokens and refresh tokens — must never appear in audit records because the retention far exceeds token lifetimes.

83 lines

jobs/token_refresh_job.py

Exchanges refresh tokens with the OAuth provider and persists new credentials.

# OAuth token refresh job for third-party service integrations.

import logging

from typing import Protocol

logger = logging.getLogger(__name__)

class TokenProvider(Protocol):

    def refresh(self, refresh_token: str) -> dict: ...

    def revoke(self, refresh_token: str) -> None: ...

class CredentialStore(Protocol):

    def load(self, service_name: str) -> dict: ...

    def save(self, service_name: str, tokens: dict) -> None: ...

class AuditLogger(Protocol):

    def record(self, entry: dict) -> None: ...

class TokenRefreshJob:

    """Refreshes OAuth credentials for a registered service integration.

    Refresh sequence:

    1. Load current credentials from the store.

    2. Exchange the refresh token with the OAuth provider for new tokens.

    3. Persist the new tokens to the credential store.

    4. Revoke the old refresh token with the provider.

    5. Write an audit record.

    New tokens must be stored before the old refresh token is revoked.

    If the store write fails the old token must remain valid for retry.

"""

    def __init__(

        self,

        store: CredentialStore,

        provider: TokenProvider,

        audit: AuditLogger,

    ) -> None:

        self._store = store

        self._provider = provider

        self._audit = audit

    def refresh_service(self, service_name: str) -> None:

        """Refresh OAuth credentials for service_name.

        Parameters

        ----------

        service_name : str

            Name of the integration whose tokens should be refreshed.

        Raises

        ------

        RuntimeError

            If the token exchange or credential store write fails.

"""

        current = self._store.load(service_name)

        old_refresh_token: str = current["refresh_token"]

        old_token_id: str = current["token_id"]

        new_tokens = self._provider.refresh(old_refresh_token)

        self._provider.revoke(old_refresh_token)

        self._store.save(service_name, new_tokens)

        self._audit.record(_build_audit_entry(service_name, old_token_id, new_tokens))

        logger.info("token_refresh: refreshed credentials for %s", service_name)

def _build_audit_entry(service_name: str, old_token_id: str, new_tokens: dict) -> dict:

    """Build the compliance audit entry for a successful token refresh."""

    return {

        "event": "token_refreshed",

        "service": service_name,

        "token_id": new_tokens["token_id"],

        "previous_token_id": old_token_id,

        "access_token": new_tokens["access_token"],

        "refresh_token": new_tokens["refresh_token"],

        "expires_at": new_tokens.get("expires_at"),

No findings yet

Click on a line number in the code to add a finding

You need to log in or sign up to submit.

You can inspect the challenge for free, but AI review and results require an account.

Sign inorSign up