feat(sdk): Add background token auto-renewal#1859
Merged
Merged
Conversation
Keystone token-exchange (`reauth`) preserves the original token's expires_at by design, so it can't extend session lifetime. Real renewal requires a full non-interactive re-auth (credential replay) via `authorize_with_auth_helper`, single-flighted with the existing 401-retry path through `reauth_lock`. - AsyncOpenStack::enable_auto_renew spawns a task holding only a Weak<SessionContext>, self-terminating once the last client for that session is dropped; RenewHandle aborts it on Drop as an explicit stop. - authorize_with_auth_helper's catalog processing wipes all discovered endpoint versions on every re-auth (a rescope may land on a different project_id). Renewal keeps the same scope, so Catalog::discovered_service_types() snapshots what was discovered beforehand and enable_auto_renew re-discovers it after a successful renewal instead of silently losing it. - openstack_tui/cloud_worker.rs: spawn enable_auto_renew(60s margin) on connect, dropping/replacing the handle on reconnect; drop the old reactive per-request expiry check now that renewal is proactive (interactive/MFA clouds still fall back to the 401 -> TuiAuthHelper prompt path, since background renewal is non-interactive-only). Closes: #1218 Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Keystone token-exchange (
reauth) preserves the original token'sexpires_at by design, so it can't extend session lifetime. Real
renewal requires a full non-interactive re-auth (credential replay)
via
authorize_with_auth_helper, single-flighted with the existing401-retry path through
reauth_lock.Weak, self-terminating once the last client for
that session is dropped; RenewHandle aborts it on Drop as an
explicit stop.
discovered endpoint versions on every re-auth (a rescope may land
on a different project_id). Renewal keeps the same scope, so
Catalog::discovered_service_types() snapshots what was discovered
beforehand and enable_auto_renew re-discovers it after a
successful renewal instead of silently losing it.
on connect, dropping/replacing the handle on reconnect; drop the
old reactive per-request expiry check now that renewal is
proactive (interactive/MFA clouds still fall back to the 401 ->
TuiAuthHelper prompt path, since background renewal is
non-interactive-only).
Closes: #1218
Signed-off-by: Artem Goncharov artem.goncharov@gmail.com