Token refresh on each API request when using UserAccessTokenCredentials

[bzurkowski]

I observed that requests to Google Cloud APIs take much longer when using UserAccessTokenCredentials (documented here) as credentials for client libraries, e.g., Storage library for Python.

Diving into the code, I realized that UserAccessTokenCredentials triggers token refresh (resulting in an additional API request) on each request due to how the before_request method is implemented:

def before_request(self, request, method, url, headers):
    self.refresh(request)
    self.apply(headers)

In comparison, the before_request method in the base class has a mechanism to trigger token refresh only when necessary:

if not self.valid:
    self.refresh(request)

Would it be reasonable to check token validity before request in the UserAccessTokenCredentials strategy?

[arithmetic1728]

I think google.oauth2.credentials.Credentials should be used instead. (In other words, you run gcloud auth application-default login, and let the client lib pick up the application default credentials on its own).

google.oauth2.credentials.UserAccessTokenCredentials simply runs gcloud auth print-access-token to get the token, this class doesn't even cache the token. To check the validity requires sending the token to some token info endpoint, simply checking self.valid won't work. I wouldn't recommend using this credential. google.oauth2.credentials.Credentials is the one I recommend.

[arithmetic1728]

UserAccessTokenCredential was initially added for mTLS feature since at that time user credentials had issues (which is already fixed now). Therefore we want to deprecate UserAccessTokenCredential since it's google-auth specific, and not available in other languages. Users are recommended to use user credentials instead (google.oauth2.credentials.Credentials), which is a generic application default credential type available in all languages. To use it, simply run gcloud auth application-default login and let the client libraries automatically use it.