oidc-token does not renew token before it expires #74
Description
When a token is about to expire, Ada now throws a nice error, thanks to commit dfa1a05.
But during this minute that Ada refuses to use the token, I can't refresh the token. oidc-token simply does not give me a new token, apparently it assumes a nearly expired token should still be good enough.
SpiderScripts % ada/ada --whoami
Token source: $BEARER_TOKEN
ERROR: Token will expire in 47 seconds. Please use a token that is valid for more than 60 seconds, to ensure Ada can finish the task.
SpiderScripts % export BEARER_TOKEN=$(oidc-token dteam)
SpiderScripts % ada/ada --whoami
Token source: $BEARER_TOKEN
ERROR: Token will expire in 27 seconds. Please use a token that is valid for more than 60 seconds, to ensure Ada can finish the task.
# Waited half a minute
SpiderScripts % export BEARER_TOKEN=$(oidc-token dteam)
SpiderScripts % ada/ada --whoami
dCache API: https://dcachetest.grid.surfsara.nl:20443/api/v1
dCache version(s): ["11.0.0-SNAPSHOT(f41cd3e)"]
User identity:
{
"status": "AUTHENTICATED",
.....
So now we have the situation that for one minute, a user can't use Ada.
There is an easy workaround:
oidc-token --force-new
So, what should we do?
- Enforce the minimum lifetime of 60 seconds only at the start of Ada, and not when token is reloaded from tokenfile?
- Have Ada instruct the user that they should use
--force-new?
oidc-token also has this option:
-t, --time=SECONDS Minimum number of seconds the access token should
be valid
But this doesn't seem to work. My token is always valid for 1 hour, whatever I specify with --time.