Skip to content

Feature/master/credential cache#7109

Open
alextwoods wants to merge 4 commits into
masterfrom
feature/master/credential_cache
Open

Feature/master/credential cache#7109
alextwoods wants to merge 4 commits into
masterfrom
feature/master/credential_cache

Conversation

@alextwoods

Copy link
Copy Markdown
Contributor

This PR is the top level feature PR that combines all of the individual Credential Cache PRs

Individual PRs:

Motivation and Context

Modifications

Testing

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

…ross all credential providers (#7053)

* Unify refresh window configuration across credential providers

Standardize staleTime/prefetchTime defaults and add builder
configuration across all credential providers:

InstanceProfileCredentialsProvider:
- Change default staleTime from 1 second to 1 minute
- Change prefetchTime from max(timeUntilExpiry/2, 5min) to flat
  5 minutes before expiry
- Add prefetchTime(Duration) builder method
- Add staleTime <= prefetchTime validation

ContainerCredentialsProvider:
- Change prefetchTime from min(1hr, 15min-before-expiry) to flat
  5 minutes before expiry
- Add staleTime(Duration) and prefetchTime(Duration) builder methods
- Add staleTime <= prefetchTime validation

ProcessCredentialsProvider:
- Add staleTime(Duration) and prefetchTime(Duration) builder methods
- Change default staleTime from 0 (at expiration) to 1 minute
- Change default prefetchTime from 15 seconds to 5 minutes
- Deprecate credentialRefreshThreshold (now sets prefetchTime)
- Add staleTime <= prefetchTime validation

WebIdentityTokenFileCredentialsProvider:
- Add staleTime(Duration) and prefetchTime(Duration) builder methods
  (pass-through to underlying STS provider)

StsCredentialsProvider / SsoCredentialsProvider / LoginCredentialsProvider:
- Add staleTime <= prefetchTime validation
- Update Javadoc for staleTime, prefetchTime, and
  asyncCredentialUpdateEnabled to use consistent terminology
  (mandatory refresh window / advisory refresh window)

HttpCredentialsProvider:
- Update asyncCredentialUpdateEnabled Javadoc for clarity

All providers now use consistent defaults:
- staleTime: 1 minute (mandatory/blocking refresh window)
- prefetchTime: 5 minutes (advisory/proactive refresh window)

* Update docs to match validator
… prefetch behavior (#7093)

Add dynamic advisory refresh window and fix prefetch failure stale time

Implement two changes from the updated cross-SDK credential refresh spec:

1. Dynamic advisory refresh window: When the user has NOT explicitly
   configured a prefetchTime, compute the advisory window dynamically
   based on the credential's remaining lifetime:
   - remaining < 20 min -> 5 min window
   - 20 min <= remaining < 90 min -> 15 min window
   - remaining >= 90 min -> 60 min window
   This is recomputed on each successful refresh. If the user HAS
   explicitly configured a value, it is always honored unchanged.

2. Prefetch failure stale time preservation: When a credential refresh
   fails during the advisory (prefetch) window, extend the prefetch
   time by backoff but preserve the existing stale time if it is later
   than the new prefetch time. Previously both were set to the same
   backoff value, which could move the mandatory refresh boundary
   closer than intended.

Affected providers: STS (all), IMDS, Container, SSO, Login, Process.
New utility: CacheRefreshUtils.computeDynamicPrefetchWindow()

* Update approach to dynamic prefetch window
@alextwoods alextwoods marked this pull request as ready for review July 8, 2026 21:13
@alextwoods alextwoods requested a review from a team as a code owner July 8, 2026 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant