[Credentials Cache PR4]Add dynamic advisory refresh window and update prefetch behavior#7093
Merged
alextwoods merged 2 commits intoJul 2, 2026
Conversation
5816169 to
d16468a
Compare
…ure stale time Implement two changes from the updated cross-SDK credential refresh spec: 1. Dynamic advisory refresh window: When the user has NOT explicitly configured a prefetchTime, compute the advisory window dynamically based on the credential's remaining lifetime: - remaining < 20 min -> 5 min window - 20 min <= remaining < 90 min -> 15 min window - remaining >= 90 min -> 60 min window This is recomputed on each successful refresh. If the user HAS explicitly configured a value, it is always honored unchanged. 2. Prefetch failure stale time preservation: When a credential refresh fails during the advisory (prefetch) window, extend the prefetch time by backoff but preserve the existing stale time if it is later than the new prefetch time. Previously both were set to the same backoff value, which could move the mandatory refresh boundary closer than intended. Affected providers: STS (all), IMDS, Container, SSO, Login, Process. New utility: CacheRefreshUtils.computeDynamicPrefetchWindow()
d16468a to
64d7385
Compare
dagnir
reviewed
Jul 1, 2026
| return expiration.minus(prefetchTime); | ||
|
|
||
| Instant now = Instant.now(); | ||
| Duration effectivePrefetchWindow = prefetchTimeExplicitlySet |
Contributor
There was a problem hiding this comment.
I was going to suggest FieldWithDefault but I didn't realize it's internal to s3 😅
Given how many places this occurs, would it make sense to add a version of this class to utils?
Contributor
Author
There was a problem hiding this comment.
I've actually cleaned this up a slightly diffrent way - since there isn't actually a default here, its more - use the value if set, otherwise compute it from the expiration. We now just check if the prefetchTime is null (ie, unset) and if so, compute the value from the expiration.
dagnir
approved these changes
Jul 2, 2026
164430b
into
feature/master/credential_cache
3 of 4 checks passed
|
This pull request has been closed and the conversation has been locked. Comments on closed PRs are hard for our team to see. If you need more assistance, please open a new issue that references this one. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR merges to feature/master/credential_cache, NOT to master
[Credential Cache Pr 4].
Updates based on updates to cross-sdk spec
Modifications
Dynamic advisory refresh window: When the user has NOT explicitly configured a prefetchTime, compute the advisory window dynamically based on the credential's remaining lifetime:
Prefetch failure stale time preservation: When a credential refresh fails during the advisory (prefetch) window, extend the prefetch time by backoff but preserve the existing stale time if it is later than the new prefetch time. Previously both were set to the same backoff value, which could move the mandatory refresh boundary closer than intended.
Treat failures to read the cached token from disk as invalidating/terminal failures and skip static stability on refresh (ie, immediately raise the error prompting user to re-authenticate).
Testing
New and existing tests.
Screenshots (if appropriate)
Types of changes
Checklist
mvn installsucceedsscripts/new-changescript and following the instructions. Commit the new file created by the script in.changes/next-releasewith your changes.License