Skip to content

[@vercel/blob] Use refreshing getVercelOidcToken from @vercel/oidc#1076

Merged
falcoagustin merged 3 commits into
mainfrom
falcoagustin/blob-oidc-token-refresh
Jun 25, 2026
Merged

[@vercel/blob] Use refreshing getVercelOidcToken from @vercel/oidc#1076
falcoagustin merged 3 commits into
mainfrom
falcoagustin/blob-oidc-token-refresh

Conversation

@falcoagustin

@falcoagustin falcoagustin commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Problem

@vercel/blob reads the Vercel OIDC token via @vercel/oidc's getVercelOidcTokenSync (introduced in #1072). That sync variant only reads the token from the request-context header / VERCEL_OIDC_TOKEN env var — it never refreshes an expired token. In a development environment a long-lived session can end up holding a stale, expired OIDC token.

Solution

Switch the blob OIDC reader to @vercel/oidc's async getVercelOidcToken, which refreshes an expired token in development before returning it. The thin wrapper in vercel-oidc-token.ts becomes async, and that propagates to resolveBlobAuth and its two call sites (requestApi, get) — both already async.

Behavior is unchanged in production with a valid, unexpired token: the refreshing variant decodes the token, finds it valid, and returns it immediately without any CLI access. If a refresh is required but fails (no CLI creds, no project config, network error), the wrapper swallows the throw and returns undefined, so callers still fall back to BLOB_READ_WRITE_TOKEN — the same graceful degradation as before.

Tests mock @vercel/oidc to delegate the refreshing reader to the real sync reader: the refresh path uses dynamic import(), which jest's CJS runner can't execute without --experimental-vm-modules, so the mock preserves the genuine header/env source-resolution while sidestepping that limitation.

🤖 Generated with Claude Code

falcoagustin and others added 2 commits June 25, 2026 07:06
@falcoagustin @claude
[@vercel/blob] Use refreshing getVercelOidcToken from @vercel/oidc
59bc90c 
Switch the blob OIDC reader from @vercel/oidc's non-refreshing
getVercelOidcTokenSync to the async getVercelOidcToken, which refreshes
an expired token in development. The wrapper, resolveBlobAuth, and its
two call sites (requestApi, get) become async accordingly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@falcoagustin @claude
Add changeset for @vercel/blob OIDC token refresh
4f3596e 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@changeset-bot

changeset-bot Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 3e70cab

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@vercel/blob Patch
vercel-storage-integration-test-suite Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel

vercel Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
vercel-storage-next-integration-test-suite Ready Ready Preview Jun 25, 2026 2:32pm

Request Review

@falcoagustin falcoagustin enabled auto-merge (squash) June 25, 2026 14:31
@falcoagustin falcoagustin merged commit 9ac2586 into main Jun 25, 2026
10 checks passed
@falcoagustin falcoagustin deleted the falcoagustin/blob-oidc-token-refresh branch June 25, 2026 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agadzik agadzik agadzik approved these changes
@elliotdauber elliotdauber Awaiting requested review from elliotdauber
@kldavis4 kldavis4 Awaiting requested review from kldavis4
@vvo vvo Awaiting requested review from vvo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@falcoagustin @agadzik