commit 91d90388c2a8df50542285c81560a6a11bde7e59
author Vadim Shtayura <vadimsh@chromium.org> Mon May 12 23:34:43 2025
committer LUCI CQ <infra-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon May 12 23:34:43 2025
tree a37475a978571c0aa9a60040bbedbef5eb5970aa
parent 1fc2f34532af6f525b691bc7f72f62c60f012a4b

[auth] Allow using tokens that are close to being expired.

With addition of external credential helpers and ADC, the auth
library has much less control over how tokens are refreshed. In
particular, it is generally impossible to guarantee that an act
of "refreshing a token" via a token provider actually refreshes
the token.

In practice, ADC seems to be reusing the internal cached token
until it has 10s of its lifetime left.

Reclient's credential helper is even more extreme: it refreshes
the cached token only **after** it has expired already (meaning
it is impossible to avoid using expired tokens when working with
reclient credential helper, this will need to be fixed separately).

To make using such token providers less painful, do following
changes:
  1. Relax timings on how in advance we want tokens to be
     refreshed (2 min => 10 sec, plus few more).
  2. Convert "token wasn't actually refreshed" situation from
     an error into a warning. Keep using the token, even though
     it might be 1ms away from expiry (YOLO style).

(1) may result in auth errors in case RPC calls are getting stuck
for more than 10s before reaching the backend. But somehow ADC is
using this 10s value, so probably it is fine in practice.

R=iannucci@chromium.org
BUG=b/414989137

Change-Id: I0eb5826cea1dbbc82a4ba5a60f8365218a55b46c
Reviewed-on: https://chromium-review.googlesource.com/c/infra/luci/luci-go/+/6533623
Reviewed-by: Robbie Iannucci <iannucci@google.com>
Commit-Queue: Vadim Shtayura <vadimsh@chromium.org>