[Credential Cache Pr 3/3] Standardize refresh window configuration across all credential providers#7053
Open
alextwoods wants to merge 2 commits into
Open
Conversation
Standardize staleTime/prefetchTime defaults and add builder configuration across all credential providers: InstanceProfileCredentialsProvider: - Change default staleTime from 1 second to 1 minute - Change prefetchTime from max(timeUntilExpiry/2, 5min) to flat 5 minutes before expiry - Add prefetchTime(Duration) builder method - Add staleTime <= prefetchTime validation ContainerCredentialsProvider: - Change prefetchTime from min(1hr, 15min-before-expiry) to flat 5 minutes before expiry - Add staleTime(Duration) and prefetchTime(Duration) builder methods - Add staleTime <= prefetchTime validation ProcessCredentialsProvider: - Add staleTime(Duration) and prefetchTime(Duration) builder methods - Change default staleTime from 0 (at expiration) to 1 minute - Change default prefetchTime from 15 seconds to 5 minutes - Deprecate credentialRefreshThreshold (now sets prefetchTime) - Add staleTime <= prefetchTime validation WebIdentityTokenFileCredentialsProvider: - Add staleTime(Duration) and prefetchTime(Duration) builder methods (pass-through to underlying STS provider) StsCredentialsProvider / SsoCredentialsProvider / LoginCredentialsProvider: - Add staleTime <= prefetchTime validation - Update Javadoc for staleTime, prefetchTime, and asyncCredentialUpdateEnabled to use consistent terminology (mandatory refresh window / advisory refresh window) HttpCredentialsProvider: - Update asyncCredentialUpdateEnabled Javadoc for clarity All providers now use consistent defaults: - staleTime: 1 minute (mandatory/blocking refresh window) - prefetchTime: 5 minutes (advisory/proactive refresh window)
S-Saranya1
reviewed
Jun 23, 2026
| * provider will block all callers until a refresh attempt completes. If the refresh attempt fails, the provider | ||
| * returns the cached credentials and will not attempt another refresh until a backoff period has elapsed. | ||
| * | ||
| * <p>This value must be less than {@link #prefetchTime(Duration)}. |
Contributor
There was a problem hiding this comment.
nit: Should this be less than or equal to right? looks like the validation allows equality and the error message also says "less than or equal to"
Contributor
Author
There was a problem hiding this comment.
Ah good call out! It was a later decision to allow <=, which gives users effectively a way of disabling the prefetch - I'll updated docs.
| private static final JsonNodeParser PARSER = JsonNodeParser.builder() | ||
| .removeErrorLocations(true) | ||
| .build(); | ||
| private static final Duration DEFAULT_STALE_TIME = Duration.ofMinutes(1); |
Contributor
There was a problem hiding this comment.
I have missed the discussion here, just to double check - so we decided to change the Process staleTime default from 0 to 1 even though process doesnt use static stability ?
Contributor
Author
There was a problem hiding this comment.
Yeah - the decision was based on making it consistent with other SDKs/providers and mitigating the risk of using expired (ie, when the stale time is 0, you can start signing a request before the credentials expire, but by the time the request has been signed, sent and processed the credentials are expired)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR merges to feature/master/credential_cache, NOT to master
[Credential Cache Pr 3/3].
Standardize refresh window configuration across all credential providers
Motivation and Context
This is part 3 of 3 implementing the Credential Refresh Behavior spec. With static stability enabled (PRs 1-2), this PR standardizes the refresh timing defaults and adds consistent builder configuration across all credential providers.
The SEP mandates 1-minute mandatory (stale) and 5-minute advisory (prefetch) refresh windows. Several providers previously used different values (IMDS: 1s stale; Container: 15min prefetch; Process: 15s prefetch). This PR aligns them all and exposes
staleTime(Duration)/prefetchTime(Duration)builder methods for customer override.PR chain: PR 1: CachedSupplier ALLOW engine → PR 2: Enable static stability for STS, Container, SSO, and Login credential providers → PR3 (this)
Depends on: #7028 and #7031
Modifications
InstanceProfileCredentialsProvider: Changed default staleTime from 1 second to 1 minute. Changed prefetchTime frommax(timeUntilExpiry/2, 5min)to flat 5 minutes before expiry. AddedprefetchTime(Duration)builder method. AddedstaleTime <= prefetchTimevalidation.ContainerCredentialsProvider: Changed prefetchTime frommin(1hr, 15min-before-expiry)to flat 5 minutes before expiry. AddedstaleTime(Duration)andprefetchTime(Duration)builder methods. Added validation.ProcessCredentialsProvider: AddedstaleTime(Duration)andprefetchTime(Duration)builder methods. Changed default staleTime from 0 (at-expiration) to 1 minute. Changed default prefetchTime from 15 seconds to 5 minutes. DeprecatedcredentialRefreshThreshold(it now sets prefetchTime under the hood for backward compatibility). Added validation.WebIdentityTokenFileCredentialsProvider: AddedstaleTime(Duration)andprefetchTime(Duration)builder methods that pass through to the underlying STS provider.StsCredentialsProvider/SsoCredentialsProvider/LoginCredentialsProvider: AddedstaleTime <= prefetchTimevalidation at construction. Updated Javadoc forstaleTime,prefetchTime, andasyncCredentialUpdateEnabledto use consistent terminology (mandatory refresh window / advisory refresh window).HttpCredentialsProvider: UpdatedasyncCredentialUpdateEnabledJavadoc for clarity.Tests: Updated IMDS timing tests for new defaults, added Process provider timing tests, updated WebIdentity factory test for new builder params.
Testing
New and existing tests.
Types of changes
Checklist
mvn installsucceedsscripts/new-changescript and following the instructions. Commit the new file created by the script in.changes/next-releasewith your changes.License