From 36065111dacb0e78f3d2b465ede03a0ecb60a529 Mon Sep 17 00:00:00 2001
From: Pedro Gonzalez Gomez <pegonzal@ibm.com>
Date: Thu, 7 May 2026 21:44:30 +0200
Subject: [PATCH] mgr/dashboard: raise exception on oauth2 sso expired token

Fixes: https://tracker.ceph.com/issues/76478
Signed-off-by: Pedro Gonzalez Gomez <pegonzal@ibm.com>
---
 src/pybind/mgr/dashboard/controllers/oauth2.py   | 3 +++
 src/pybind/mgr/dashboard/services/auth/oauth2.py | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/src/pybind/mgr/dashboard/controllers/oauth2.py b/src/pybind/mgr/dashboard/controllers/oauth2.py
index ae37c4ac1f7f..c87aef896924 100644
--- a/src/pybind/mgr/dashboard/controllers/oauth2.py
+++ b/src/pybind/mgr/dashboard/controllers/oauth2.py
@@ -18,6 +18,9 @@ class Oauth2(RESTController):
         if not token:
             raise cherrypy.HTTPError()
 
+        if OAuth2.is_token_expired(token):
+            raise cherrypy.HTTPError(401, 'Your session has expired. Please log in again.')
+
         raise cherrypy.HTTPRedirect(OAuth2.get_login_redirect_url(token))
 
     @Endpoint(json_response=False, version=None)
diff --git a/src/pybind/mgr/dashboard/services/auth/oauth2.py b/src/pybind/mgr/dashboard/services/auth/oauth2.py
index dc0620ea3f91..b000c2f75baf 100644
--- a/src/pybind/mgr/dashboard/services/auth/oauth2.py
+++ b/src/pybind/mgr/dashboard/services/auth/oauth2.py
@@ -2,6 +2,7 @@
 import importlib
 import json
 import logging
+import time
 from typing import Dict, List
 from urllib.parse import quote
 
@@ -146,6 +147,14 @@ class OAuth2(SSOAuth):
         except AttributeError:
             raise cherrypy.HTTPError()
 
+    @classmethod
+    def is_token_expired(cls, token: str) -> bool:
+        try:
+            payload = decode_jwt_segment(token.split(".")[1])
+            return time.time() > payload.get('exp', 0)
+        except Exception:
+            return True
+
     @classmethod
     def get_token_iss(cls, token=''):
         if token:
-- 
2.47.3