preemptExpirtyTime incorrectly be used for TimeToLive calculations

[michael-proctor]

aws-sdk-net/sdk/src/Core/Amazon.Runtime/Credentials/RefreshingAWSCredentials.cs

Line 77 in dd98e2c

return exp - now + preemptExpiryTime;

C#
return exp - now + preemptExpiryTime;
is meant to calculate the remaining time-to-live (TTL) for credentials, but if the intention is to reduce the TTL by a "preempt" period (to refresh credentials before they actually expire), you should subtract preemptExpiryTime, not add it.

Why Adding Is Incorrect
Adding preemptExpiryTime actually increases the TTL, meaning your credentials might be used past their intended expiration window, risking authentication errors.

Example Scenario
Suppose:

exp = 100 (expiration time in seconds since epoch)
now = 90 (current time in seconds since epoch)
preemptExpiryTime = 5 (preemptive buffer in seconds)

Current Code:

C#
return exp - now + preemptExpiryTime; // 100 - 90 + 5 = 15

Interpretation:
The credentials will be considered valid for 15 more seconds.

Intended Behavior (Should Subtract):

C#
return exp - now - preemptExpiryTime; // 100 - 90 - 5 = 5
Interpretation:
The credentials will be considered valid for only 5 more seconds, ensuring they are refreshed 5 seconds before actual expiration.

Why This Matters
By adding preemptExpiryTime, you risk using credentials past their safe window, potentially causing failures in authentication. By subtracting, you ensure credentials are refreshed early, avoiding issues due to clock drift or network delays.

Corrected Code
C#
return exp - now - preemptExpiryTime;

Summary:
You should subtract preemptExpiryTime to get a reduced TTL for early refresh, not add it. Adding increases the TTL and risks late refreshes.

[GarrettBeatty]

adding some of my analysis on this

• exp = 100 (expiration time, seconds since epoch)
• now = varies (simulate time ticking)
• PreemptExpiryTime = 10 (seconds)

---

Proposed Logic: ttl = exp - now - PreemptExpiryTime

now	Calculation	ttl	Is ttl < PreemptExpiryTime?	Behavior
85	100 - 85 - 10	5	5 < 10 → Yes	Background refresh
90	100 - 90 - 10	0	0 < 10 → Yes	Background refresh
95	100 - 95 - 10	-5	-5 < 10 → Yes	Synchronous refresh
100	100 - 100 - 10	-10	-10 < 10 → Yes	Synchronous refresh

---

Current Logic: ttl = exp - now + PreemptExpiryTime

now	Calculation	ttl	Is ttl < PreemptExpiryTime?	Behavior
85	100 - 85 + 10	25	25 < 10 → No	No refresh
90	100 - 90 + 10	20	20 < 10 → No	No refresh
95	100 - 95 + 10	15	15 < 10 → No	No refresh
100	100 - 100 + 10	10	10 < 10 → No	No refresh
105	100 - 105 + 10	5	5 < 10 → Yes	Background refresh
110	100 - 110 + 10	0	0 < 10 → Yes	Background refresh
115	100 - 115 + 10	-5	-5 < 10 → Yes	Synchronous refresh

---

[GarrettBeatty]

possibly related to #3873

[attilah]

I agree that the calculation of TTL is a contributor to #3873 and since it's P1 for 3 weeks, @normj could you weigh in please? :-)

[santhoshreddy789]

Please provide the latest update on this P1 issue, or the expected release timeline for the new version that includes the fix.

[dscpinheiro]

We received another report so we decided to revert the change made to RefreshingAWSCredentials in V4, and now it matches the existing V3 behavior (i.e. without a GetTimeToLive method). This was included in today's release: https://github.com/aws/aws-sdk-net/releases/tag/4.0.103.0

I do think the background refresh makes sense, so I'll create a separate issue to make sure we reintroduce that feature correctly (#4024).