Skip to content

feat(sdk): Add background token auto-renewal#1859

Merged
gtema merged 1 commit into
mainfrom
auth_reauth
Jul 14, 2026
Merged

feat(sdk): Add background token auto-renewal#1859
gtema merged 1 commit into
mainfrom
auth_reauth

Conversation

@gtema

@gtema gtema commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Keystone token-exchange (reauth) preserves the original token's
expires_at by design, so it can't extend session lifetime. Real
renewal requires a full non-interactive re-auth (credential replay)
via authorize_with_auth_helper, single-flighted with the existing
401-retry path through reauth_lock.

  • AsyncOpenStack::enable_auto_renew spawns a task holding only a
    Weak, self-terminating once the last client for
    that session is dropped; RenewHandle aborts it on Drop as an
    explicit stop.
  • authorize_with_auth_helper's catalog processing wipes all
    discovered endpoint versions on every re-auth (a rescope may land
    on a different project_id). Renewal keeps the same scope, so
    Catalog::discovered_service_types() snapshots what was discovered
    beforehand and enable_auto_renew re-discovers it after a
    successful renewal instead of silently losing it.
  • openstack_tui/cloud_worker.rs: spawn enable_auto_renew(60s margin)
    on connect, dropping/replacing the handle on reconnect; drop the
    old reactive per-request expiry check now that renewal is
    proactive (interactive/MFA clouds still fall back to the 401 ->
    TuiAuthHelper prompt path, since background renewal is
    non-interactive-only).

Closes: #1218
Signed-off-by: Artem Goncharov artem.goncharov@gmail.com

Keystone token-exchange (`reauth`) preserves the original token's
expires_at by design, so it can't extend session lifetime. Real
renewal requires a full non-interactive re-auth (credential replay)
via `authorize_with_auth_helper`, single-flighted with the existing
401-retry path through `reauth_lock`.

- AsyncOpenStack::enable_auto_renew spawns a task holding only a
  Weak<SessionContext>, self-terminating once the last client for
  that session is dropped; RenewHandle aborts it on Drop as an
  explicit stop.
- authorize_with_auth_helper's catalog processing wipes all
  discovered endpoint versions on every re-auth (a rescope may land
  on a different project_id). Renewal keeps the same scope, so
  Catalog::discovered_service_types() snapshots what was discovered
  beforehand and enable_auto_renew re-discovers it after a
  successful renewal instead of silently losing it.
- openstack_tui/cloud_worker.rs: spawn enable_auto_renew(60s margin)
  on connect, dropping/replacing the handle on reconnect; drop the
  old reactive per-request expiry check now that renewal is
  proactive (interactive/MFA clouds still fall back to the 401 ->
  TuiAuthHelper prompt path, since background renewal is
  non-interactive-only).

Closes: #1218
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
@gtema
gtema merged commit 5fc1d5d into main Jul 14, 2026
20 checks passed
@gtema-release-plz gtema-release-plz Bot mentioned this pull request Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Long living processes + autorenew of token

1 participant