(fix): hang after browser OIDC authentication (#1693)

sampras343 · jku · web-flow · commit 7af294e9e29c · 2026-02-20T13:32:26.000Z
* (fix): hang after browser OIDC authentication

Signed-off-by: Sachin Sampras M &lt;sampras343@gmail.com&gt;

* (docs): update changelog with bugfix info

Signed-off-by: Sachin Sampras M &lt;sampras343@gmail.com&gt;

* (fix): set close connection once before branching

Signed-off-by: Sachin Sampras M &lt;sampras343@gmail.com&gt;

---------

Signed-off-by: Sachin Sampras M &lt;sampras343@gmail.com&gt;
Co-authored-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,12 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+### Fixed
+
+* Fixed ~60s hang after completing browser-based OIDC authentication.
+  The OIDC redirect server had incomplete HTTP responses and no connection
+  management, causing a keep-alive deadlock with the browser.
+
 ## [4.2.0]
 
 ### Fixed
diff --git a/sigstore/_internal/oidc/oauth.py b/sigstore/_internal/oidc/oauth.py
@@ -130,18 +130,26 @@ def __exit__(
 
 
 class _OAuthRedirectHandler(http.server.BaseHTTPRequestHandler):
+    # Short socket timeout to prevent blocking serve_forever() on idle connections
+    timeout = 1
+
     def log_message(self, format: str, *_args: Any) -> None:
         pass
 
     def do_GET(self) -> None:
         _logger.debug(f"GET: {self.path} with {dict(self.headers)}")
         server = cast(_OAuthRedirectServer, self.server)
 
+        # The redirect server only needs one request per connection.
+        # Close conn immediately to prevent keep-alive from blocking.
+        self.close_connection = True
+
         # If the auth response has already been populated, the main thread will be stopping this
         # thread and accessing the auth response shortly so we should stop servicing any requests.
         if server.auth_response is not None:
             _logger.debug(f"{self.path} unavailable (teardown)")
             self.send_response(404)
+            self.end_headers()
             return None
 
         r = urllib.parse.urlsplit(self.path)
@@ -164,6 +172,7 @@ def do_GET(self) -> None:
         else:
             # Anything else sends a "Not Found" response.
             self.send_response(404)
+            self.end_headers()
 
 
 OOB_REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob"
