openkcm · protectorT1 · Dec 5, 2025 · Dec 5, 2025
diff --git a/charts/session-manager/values-dev.yaml b/charts/session-manager/values-dev.yaml
@@ -338,5 +338,6 @@ config:
 
   housekeeper:
     tokenRefreshInterval: 30m
+    tokenRefreshTriggerInterval: 5m
     idleSessionCleanupInterval: 30m
     idleSessionTimeout: 90m
diff --git a/charts/session-manager/values.yaml b/charts/session-manager/values.yaml
@@ -339,5 +339,6 @@ config:
 
   housekeeper:
     tokenRefreshInterval: 30m
+    tokenRefreshTriggerInterval: 5m
     idleSessionCleanupInterval: 30m
     idleSessionTimeout: 90m
diff --git a/config.yaml b/config.yaml
@@ -247,5 +247,6 @@ migrate:
 
 housekeeper:
     tokenRefreshInterval: 30m
+    tokenRefreshTriggerInterval: 5m
     idleSessionCleanupInterval: 30m
     idleSessionTimeout: 90m
diff --git a/internal/business/housekeeper.go b/internal/business/housekeeper.go
@@ -55,9 +55,10 @@ func HousekeeperMain(ctx context.Context, cfg *config.Config) error {
 
 func startExpiringTokenRefresh(ctx context.Context, sessionManager *session.Manager, cfg *config.Housekeeper) error {
 	c := time.Tick(cfg.TokenRefreshInterval)
+	triggerInterval := cfg.TokenRefreshTriggerInterval
 	for {
 		slogctx.Info(ctx, "Triggering refresh of expiring tokens")
-		if err := sessionManager.RefreshExpiringTokens(ctx); err != nil {
+		if err := sessionManager.RefreshExpiringTokens(ctx, triggerInterval); err != nil {
 			slogctx.Error(ctx, "failed to refresh expiring tokens", "error", err)
 		}
 

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -22,7 +22,8 @@ type Config struct {
 }
 
 type Housekeeper struct {
-	TokenRefreshInterval time.Duration `yaml:"tokenRefreshInterval" default:"30m"`
+	TokenRefreshInterval        time.Duration `yaml:"tokenRefreshInterval" default:"30m"`
+	TokenRefreshTriggerInterval time.Duration `yaml:"tokenRefreshTriggerInterval" default:"5m"`
 
 	IdleSessionCleanupInterval time.Duration `yaml:"idleSessionCleanupInterval" default:"30m"`
 	IdleSessionTimeout         time.Duration `yaml:"idleSessionTimeout" default:"90m"`

diff --git a/internal/session/housekeeper.go b/internal/session/housekeeper.go
@@ -15,7 +15,7 @@ import (
 )
 
 // RefreshExpiringTokens refreshes access tokens that are nearing expiration.
-func (m *Manager) RefreshExpiringTokens(ctx context.Context) error {
+func (m *Manager) RefreshExpiringTokens(ctx context.Context, refreshTriggerInterval time.Duration) error {
 	sessions, err := m.sessions.ListSessions(ctx)
 	if err != nil {
 		return err
@@ -26,7 +26,7 @@ func (m *Manager) RefreshExpiringTokens(ctx context.Context) error {
 			return fmt.Errorf("getting OIDC provider: %w", err)
 		}
 
-		if shouldRefresh(s) {
+		if shouldRefresh(s, refreshTriggerInterval) {
 			if err := m.refreshExpiringToken(ctx, &s, provider); err != nil {
 				slogctx.Warn(ctx, "Could not refresh token", "tenant_id", s.TenantID, "error", err)
 				continue
@@ -41,9 +41,9 @@ func (m *Manager) RefreshExpiringTokens(ctx context.Context) error {
 	return nil
 }
 
-func shouldRefresh(s Session) bool {
-	// refresh if token expires in less than 5 minutes
-	return time.Until(s.AccessTokenExpiry) < 5*time.Minute
+func shouldRefresh(s Session, refreshTriggerInterval time.Duration) bool {
+	// refresh if token expires in less than refreshTriggerInterval set in the config
+	return time.Until(s.AccessTokenExpiry) < refreshTriggerInterval
 }
 
 // refreshExpiringToken refreshes the access token for the given session if needed.