auth: Use a custom function to determine access token expiry #362
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
manicminer
force-pushed
the
bugfix/token-expiry-race-condition
branch
from
2f44408 to
b0263ad
Compare
manicminer
changed the title
manicminer
force-pushed
the
bugfix/token-expiry-race-condition
branch
from
b0263ad to
d1a39ca
Compare
The default method `*oauth2.Token{}.Valid()` has a hardcoded delta of 10
seconds, which means that tokens are only renewed 10 seconds before they
expire. This leads to race conditions during long running operations
with the Resource Manager API, when a polling request is built
immediately prior to this window, but only sent on or after the expiry
time. Additionally, it's plausible that 1 (or more) second(s) may be
lost during the process of token issuance, since it's likely the token
is generated prior to being returned by the API, and it is the latter
that informs us of the expiry time.
This change extends this window to 10 minutes for any access token with
a validity period of 20+ minutes. For tokens having a validity period
less than 20 minutes, those are renewed when 50% or more of that
validity period has elapsed.
For example, a token that is valid for 1 hour (very common) will be
renewed after it has been held for 50 minutes. However, a token issued
for 10 minutes will be renewed when it has been held for 5 minutes (i.e.
>=50% of the validity period).
manicminer
force-pushed
the
bugfix/token-expiry-race-condition
branch
from
d1a39ca to
86de601
Compare
tombuildsstuff
approved these changes
Mar 10, 2023
|
|
||
| expiry := token.Expiry.Round(0) | ||
| delta := tokenExpiryDelta | ||
| now := time.Now() |
There was a problem hiding this comment.
IIRC the access token expiration time is in UTC, so do we want to explicitly convert these to UTC too?
There was a problem hiding this comment.
It's in local time actually, we're computing the expiration time based on the expires_in field from the login response, which is a seconds value that we add to the local time.
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The default method
*oauth2.Token{}.Valid()has a hardcoded delta of 10 seconds, which means that tokens are only renewed 10 seconds before they expire. This leads to race conditions during long running operations with the Resource Manager API, when a polling request is built immediately prior to this window, but only sent on or after the expiry time. Additionally, it's plausible that 1 (or more) second(s) may be lost during the process of token issuance, since it's likely the token is generated prior to being returned by the API, and it is the latter that informs us of the expiry time.This change extends this window to 10 minutes for any access token with a validity period of 20+ minutes. For tokens having a validity period less than 20 minutes, those are renewed when 50% or more of that validity period has elapsed.
For example, a token that is valid for 1 hour (very common) will be renewed after it has been held for 50 minutes. However, a token issued for 10 minutes will be renewed when it has been held for 5 minutes (i.e. >=50% of the validity period).
Related: hashicorp/terraform-provider-azurerm#20834