Access Tokens generated in Service Account Key client can be used too close to expiration time #2193
Description
Description
Access tokens generated via the service account key flow may expire during the time from validating the tokens expiration time until it reaches the upstream systems validating the token.
Steps to reproduce
Due to the hard coded default token lifetime of 10 minutes (and no way to access it from SDK external code to wait an accurate amount of time) this is hard to reproduce in a code sample.
We have reconstructed this behavior as the most likely cause from user reports and internal logs.
Please get in touch with me if you need further insights.
Actual behavior
If an access token is about to expire but still used for an upstream request, authentication systems may respond with an unexpected 401 Unauthorized resonse:
{\"status\":401,\"message\":\"Unauthenticated token\"}
Expected behavior
SDK should refresh access tokens early if they are almost expired to prevent such issues.
Environment
- OS: macOS 15.4.1
- Go version (see
go version):1.24.2 - Version of the STACKIT Go SDK:
v0.16.2
$ cat go.mod | grep "stackit"
github.com/stackitcloud/stackit-sdk-go/core v0.16.2
github.com/stackitcloud/stackit-sdk-go/services/cdn v0.3.0
github.com/stackitcloud/stackit-sdk-go/services/resourcemanager v0.12.0
github.com/stackitcloud/stackit-sdk-go/services/dns v0.12.1
github.com/stackitcloud/stackit-sdk-go/services/postgresflex v0.17.0
Additional information
It is in general good practice to have some leeway when working with timestamps in access tokens, especially to compensate for the common scenario of clock skew between client/server systems.