feat(rest): implement OAuth2 token auto-refresh for REST catalog#646
feat(rest): implement OAuth2 token auto-refresh for REST catalog#646lishuxu wants to merge 12 commits into
Conversation
| /// (a single HTTP POST to refresh a token), so one thread is sufficient. | ||
| /// | ||
| /// Thread safety: All public methods are thread-safe. | ||
| class ICEBERG_REST_EXPORT TokenRefreshScheduler { |
There was a problem hiding this comment.
@HuaHuaY is working on the adding a thread pool abstraction and it would be good to reuse that once available. The main issue of current design is that only a single thread is working on token refresh and a slow request would starve all other tasks.
There was a problem hiding this comment.
Makes sense. Added a TODO referencing this discussion to migrate to the shared thread pool once it lands. Agreed the single-thread design can let a slow request starve other refreshes; will switch over in a follow-up.
| props.mutable_configs().insert_or_assign(key, value); | ||
| } | ||
|
|
||
| auto result = FetchToken(client_, *empty_session, props); |
There was a problem hiding this comment.
Java refreshes through token exchange by default and only falls back to client credentials in specific cases. This path always uses client_credentials and ignores token-exchange-enabled, which breaks parity for exchange-based refresh.
There was a problem hiding this comment.
Good catch. This path always uses client_credentials and ignores token-exchange-enabled, unlike Java which refreshes via token exchange by default. I'll address this in a dedicated follow-up PR (exchange request builder + refresh flow rework), and link it here. Keeping this PR scoped to client_credentials auto-refresh.
| config.optional_oauth_params(), client); | ||
| } | ||
|
|
||
| // If token is provided, use it directly. |
There was a problem hiding this comment.
Java wraps configured access tokens in fromAccessToken() so expiring tokens can be refreshed. Returning a static session here means JWT or token-expires-in-ms based tokens never refresh.
There was a problem hiding this comment.
Agreed. This is tightly coupled to the token-exchange work (a configured token has no credential, so Java refreshes it via exchange), so I'll bundle it into the same follow-up PR: add token-expires-in-ms, populate expires_at_millis_, and wrap configured tokens in a refreshable session. Will link the PR here.
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that
automatically refreshes tokens before expiration using the
client_credentials grant.
Key components:
- OAuth2AuthSession: manages token lifecycle with shared_mutex for
concurrent read access and background refresh via scheduler
- TokenRefreshScheduler: process-global singleton with a single worker
thread that fires delayed refresh callbacks
- ExpiresAtMillis: JWT exp claim parser for determining token expiry
when expires_in is not provided in the token response
- Base64Decode/Base64UrlDecode added to TransformUtil as public utilities
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant. Key components: - OAuth2AuthSession: manages token lifecycle with shared_mutex for concurrent read access and background refresh via scheduler - TokenRefreshScheduler: process-global singleton with a single worker thread that fires delayed refresh callbacks - ExpiresAtMillis: JWT exp claim parser for determining token expiry when expires_in is not provided in the token response - Base64Decode/Base64UrlDecode added to TransformUtil as public utilities
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.
3 participants
Replace the MakeOAuth2 stub with a full OAuth2AuthSession that automatically refreshes tokens before expiration using the client_credentials grant.