fix: adjust IAM token expiration time (#221)

This commit changes the IAM, Container and VPC Instance authenticators slightly so that an IAM access token will be viewed as "expired" when the current time is within 10 seconds of the official expiration time. IOW, we'll expire the access token 10 secs earlier than the IAM server-computed expiration time. We're doing this to avoid a scenario where an IBM Cloud service receives a request along with an "almost expired" access token and then uses that token to perform downstream requests in a somewhat longer-running transaction and then the access token expires while that transaction is still active. Signed-off-by: Phil Adams <phil_adams@us.ibm.com>

Author: padamstx

src/main/java/com/ibm/cloud/sdk/core/security/IamToken.java

@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2015, 2021.
+ * (C) Copyright IBM Corp. 2015, 2024.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -22,6 +22,10 @@
  */
 public class IamToken extends AbstractToken implements ObjectModel, TokenServerResponse {
 
+ // The number of seconds before the IAM server-assigned (official) expiration time
+ // when we'll treat an otherwise valid access token as "expired".
+ public static final long IamExpirationWindow = 10L;
+
  // These fields are obtained from the IAM token service "getToken" operation response body.
  @SerializedName("access_token")
  private String accessToken;
@@ -79,6 +83,10 @@ public Long getExpiration() {
  return expiration;
  }
 
+ public Long getRefreshTime() {
+ return refreshTime;
+ }
+
  /**
  * Returns true iff currently stored access token should be refreshed.
  *
@@ -119,11 +127,18 @@ public synchronized boolean needsRefresh() {
  * Check if the currently stored access token is valid. This is different from the needsRefresh method in that it
  * uses the actual TTL to calculate the expiration, rather than just a fraction.
  *
- * @return true iff is the current access token is not expired
+ * @return true iff the current access token is valid and not expired
  */
  @Override
  public boolean isTokenValid() {
  return this.getException() == null
- && (this.expiration == null || Clock.getCurrentTimeInSeconds() < this.expiration);
+ && (this.expiration == null || Clock.getCurrentTimeInSeconds() < (this.expiration - IamExpirationWindow));
+ }
+
+ public String toString() {
+ String s =
+ String.format("IamTokenData: accessToken=%s expiration=%d expiresIn=%d",
+ this.accessToken, this.expiration, this.expiresIn);
+ return s;
  }
 }

src/test/java/com/ibm/cloud/sdk/core/security/VpcInstanceAuthenticatorTest.java

@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2022, 2023.
+ * (C) Copyright IBM Corp. 2022, 2024.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -453,10 +453,43 @@ public void testAuthenticateNewAndCachedToken() throws Throwable {
 
  @Test
  public void testAuthenticationExpiredToken() throws Throwable {
- // Mock current time to ensure that we're past the token expiration time.
- long mockTime = vpcIamAccessTokenResponse1.getExpiresAt().getTime() / 1000 + 1;
+ // Mock current time to ensure that we're way before the first token's expiration time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
+
+ VpcInstanceAuthenticator authenticator = new VpcInstanceAuthenticator.Builder()
+ .iamProfileId(mockIamProfileId)
+ .url(url)
+ .build();
+
+ Request.Builder requestBuilder = new Request.Builder().url("https://test.com");
+
+ // Set mock server responses.
+ server.enqueue(jsonResponse(vpcInstanceIdentityTokenResponse));
+ server.enqueue(jsonResponse(vpcIamAccessTokenResponse1));
+ server.enqueue(jsonResponse(vpcInstanceIdentityTokenResponse));
+ server.enqueue(jsonResponse(vpcIamAccessTokenResponse2));
+
+ // Calling "authenticate()" the first time should result in a new, valid token.
+ authenticator.authenticate(requestBuilder);
+ verifyAuthHeader(requestBuilder, "Bearer " + vpcIamAccessTokenResponse1.getAccessToken());
+
+ // Mock current time so that we detect the first access token has expired.
+ long mockTime = vpcIamAccessTokenResponse1.getExpiresAt().getTime() / 1000;
  clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(mockTime);
 
+ // Calling "authenticate()" again should result in a new access token
+ // because we should detect that the first one obtained above has expired.
+ authenticator.authenticate(requestBuilder);
+ verifyAuthHeader(requestBuilder, "Bearer " + vpcIamAccessTokenResponse2.getAccessToken());
+ }
+
+ @Test
+ public void testAuthenticationExpiredToken10SecWindow() throws Throwable {
+ // Mock current time to ensure that we're way before the first token's expiration time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
+
  VpcInstanceAuthenticator authenticator = new VpcInstanceAuthenticator.Builder()
  .iamProfileId(mockIamProfileId)
  .url(url)
@@ -474,6 +507,11 @@ public void testAuthenticationExpiredToken() throws Throwable {
  authenticator.authenticate(requestBuilder);
  verifyAuthHeader(requestBuilder, "Bearer " + vpcIamAccessTokenResponse1.getAccessToken());
 
+ // Mock current time so that we detect the first access token has expired.
+ // We subtract 10s from the expiration time to test the boundary condition of the expiration window feature.
+ long mockTime = vpcIamAccessTokenResponse1.getExpiresAt().getTime() / 1000;
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(mockTime - IamToken.IamExpirationWindow);
+
  // Calling "authenticate()" again should result in a new access token
  // because we should detect that the first one obtained above has expired.
  authenticator.authenticate(requestBuilder);

src/test/java/com/ibm/cloud/sdk/core/test/security/ContainerAuthenticatorTest.java

@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2015, 2023.
+ * (C) Copyright IBM Corp. 2015, 2024.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -251,8 +251,9 @@ public void testConfigCorrectConfig2() {
 
  @Test
  public void testAuthenticateNewAndStoredToken() throws Throwable {
- // Mock current time to ensure that we're way before the token expiration time.
- clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn((long) 100);
+ // Mock current time to ensure that we're way before the first token's expiration time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
 
  ContainerAuthenticator authenticator = new ContainerAuthenticator.Builder()
  .crTokenFilename(mockCRTokenFile)
@@ -311,8 +312,56 @@ public void testAuthenticateNewAndStoredToken() throws Throwable {
 
  @Test
  public void testAuthenticationExpiredToken() throws Throwable {
- // Mock current time to ensure that we've passed the token expiration time.
- clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn((long) 1800000000);
+ // Mock current time to ensure that we're way before the first token's expiration time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
+
+
+ ContainerAuthenticator authenticator = new ContainerAuthenticator.Builder()
+ .crTokenFilename(mockCRTokenFile)
+ .iamProfileId(mockIamProfileId)
+ .url(url)
+ .build();
+
+ Request.Builder requestBuilder = new Request.Builder().url("https://test.com");
+
+ // Set mock server to return first access token.
+ server.enqueue(jsonResponse(tokenData1));
+
+ // This will bootstrap the test by forcing the Authenticator to retrieve the first access token,
+ // which will appear as expired when we call authenticate() the second time below.
+ authenticator.authenticate(requestBuilder);
+
+ // Validate parts of the IAM request that was sent as a result of the authenticate() call above.
+ RecordedRequest tokenServerRequest = server.takeRequest();
+ assertNotNull(tokenServerRequest);
+
+ // Validate the form params included in the request.
+ Map<String, String> formBody = getFormBodyAsMap(tokenServerRequest);
+ assertEquals(formBody.get("cr_token"), mockCRToken);
+ assertEquals(formBody.get("grant_type"), "urn:ibm:params:oauth:grant-type:cr-token");
+ assertEquals(formBody.get("profile_id"), mockIamProfileId);
+ assertFalse(formBody.containsKey("profile_name"));
+ assertFalse(formBody.containsKey("scope"));
+
+ // Now set the mock time to reflect that the first access token ("tokenData1") has expired.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(tokenData1.getExpiration());
+
+ // Set mock server to return second access token.
+ server.enqueue(jsonResponse(tokenData2));
+
+ // Authenticator should detect the expiration and request a
+ // new access token when we call authenticate() again.
+ authenticator.authenticate(requestBuilder);
+ verifyAuthHeader(requestBuilder, "Bearer " + tokenData2.getAccessToken());
+ }
+
+ @Test
+ public void testAuthenticationExpiredToken10SecWindow() throws Throwable {
+ // Mock current time to ensure that we're way before the first token's expiration time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
+
 
  ContainerAuthenticator authenticator = new ContainerAuthenticator.Builder()
  .crTokenFilename(mockCRTokenFile)
@@ -341,6 +390,11 @@ public void testAuthenticationExpiredToken() throws Throwable {
  assertFalse(formBody.containsKey("profile_name"));
  assertFalse(formBody.containsKey("scope"));
 
+ // Now set the mock time to reflect that the first access token ("tokenData") is considered to be "expired".
+ // We subtract 10s from the expiration time to test the boundary condition of the expiration window feature.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(
+ tokenData1.getExpiration() - IamToken.IamExpirationWindow);
+
  // Set mock server to return second access token.
  server.enqueue(jsonResponse(tokenData2));
 
@@ -352,8 +406,9 @@ public void testAuthenticationExpiredToken() throws Throwable {
 
  @Test
  public void testAuthenticationBackgroundTokenRefresh() throws InterruptedException {
- // Mock current time to put us in the "refresh window" where the token is not expired but still needs refreshed.
- clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn((long) 1522788600);
+ // Set initial mock time to be epoch time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
 
  ContainerAuthenticator authenticator = new ContainerAuthenticator.Builder()
  .crTokenFilename(mockCRTokenFile)
@@ -383,13 +438,17 @@ public void testAuthenticationBackgroundTokenRefresh() throws InterruptedExcepti
  assertEquals(formBody.get("profile_id"), mockIamProfileId);
  assertFalse(formBody.containsKey("scope"));
 
- // Set mock server to return second access token.
- server.enqueue(jsonResponse(tokenData2).setBodyDelay(2, TimeUnit.SECONDS));
+ // Now set the mock time to put us in the "refresh window" where the token is not expired,
+ // but still needs to be refreshed.
+ long refreshWindow = (long) (tokenData1.getExpiresIn() * 0.2);
+ long refreshTime = tokenData1.getExpiration() - refreshWindow;
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(refreshTime + 2L);
 
  // Authenticator should detect the need to refresh and request a new access token
  // IN THE BACKGROUND when we call authenticate() again.
  // The immediate response should be the token which was already stored, since it's not yet
  // expired.
+ server.enqueue(jsonResponse(tokenData2).setBodyDelay(2, TimeUnit.SECONDS));
  authenticator.authenticate(requestBuilder);
  verifyAuthHeader(requestBuilder, "Bearer " + tokenData1.getAccessToken());
 

src/test/java/com/ibm/cloud/sdk/core/test/security/IamAuthenticatorTest.java

@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2015, 2023.
+ * (C) Copyright IBM Corp. 2015, 2024.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -281,8 +281,9 @@ public void testSetScope() {
  public void testAuthenticateNewAndStoredToken() throws Throwable {
  server.enqueue(jsonResponse(tokenData));
 
- // Mock current time to ensure that we're way before the token expiration time.
- clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn((long) 100);
+ // Mock current time to ensure that we're way before the first token's expiration time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
 
  IamAuthenticator authenticator = new IamAuthenticator.Builder()
  .apikey(API_KEY)
@@ -317,6 +318,9 @@ public void testAuthenticateNewAndStoredToken() throws Throwable {
  Headers actualHeaders = tokenServerRequest.getHeaders();
  assertNull(actualHeaders.get(HttpHeaders.AUTHORIZATION));
 
+ // Set mock time to be within tokenData's lifetime, but before the refresh/expiration times.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(tokenData.getExpiration() - 1000L);
+
  // Authenticator should just return the same token this time since we have a valid one stored.
  requestBuilder = new Request.Builder().url("https://test.com");
  authenticator.authenticate(requestBuilder);
@@ -330,17 +334,24 @@ public void testAuthenticateNewAndStoredToken() throws Throwable {
  public void testAuthenticationExpiredToken() {
  server.enqueue(jsonResponse(tokenData));
 
- // Mock current time to ensure that we've passed the token expiration time.
- clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn((long) 1800000000);
+ // Mock current time to ensure that we're way before the first token's expiration time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
 
- IamAuthenticator authenticator = new IamAuthenticator(API_KEY);
- authenticator.setURL(url);
+ IamAuthenticator authenticator = new IamAuthenticator.Builder()
+ .apikey(API_KEY)
+ .url(url)
+ .build();
 
  Request.Builder requestBuilder = new Request.Builder().url("https://test.com");
 
  // This will bootstrap the test by forcing the Authenticator to store the expired token
  // set above in the mock server.
  authenticator.authenticate(requestBuilder);
+ verifyAuthHeader(requestBuilder, "Bearer " + tokenData.getAccessToken());
+
+ // Now set the mock time to reflect that the first access token ("tokenData") has expired.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(tokenData.getExpiration());
 
  // Authenticator should detect the expiration and request a new access token when we call authenticate() again.
  server.enqueue(jsonResponse(refreshedTokenData));
@@ -349,21 +360,59 @@ public void testAuthenticationExpiredToken() {
  }
 
  @Test
- public void testAuthenticationBackgroundTokenRefresh() throws InterruptedException {
+ public void testAuthenticationExpiredToken10SecWindow() {
  server.enqueue(jsonResponse(tokenData));
 
- // Mock current time to put us in the "refresh window" where the token is not expired but still needs refreshed.
- clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn((long) 1522788600);
+ // Set initial mock time to be epoch time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
 
- IamAuthenticator authenticator = new IamAuthenticator.Builder().apikey(API_KEY).build();
- authenticator.setURL(url);
+ IamAuthenticator authenticator = new IamAuthenticator.Builder()
+ .apikey(API_KEY)
+ .url(url)
+ .build();
 
  Request.Builder requestBuilder = new Request.Builder().url("https://test.com");
 
- // This will bootstrap the test by forcing the Authenticator to store the token needing refreshed, which was
+ // This will bootstrap the test by forcing the Authenticator to store the expired token
  // set above in the mock server.
  authenticator.authenticate(requestBuilder);
 
+ // Now set the mock time to reflect that the first access token ("tokenData") is considered to be "expired".
+ // We subtract 10s from the expiration time to test the boundary condition of the expiration window feature.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(
+ tokenData.getExpiration() - IamToken.IamExpirationWindow);
+
+ // Authenticator should detect the expiration and request a new access token when we call authenticate() again.
+ server.enqueue(jsonResponse(refreshedTokenData));
+ authenticator.authenticate(requestBuilder);
+ verifyAuthHeader(requestBuilder, "Bearer " + refreshedTokenData.getAccessToken());
+ }
+
+ @Test
+ public void testAuthenticationBackgroundTokenRefresh() throws InterruptedException {
+ server.enqueue(jsonResponse(tokenData));
+
+ // Set initial mock time to be epoch time.
+ // This is because initially we have no access token at all so we should fetch one regardless of the current time.
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(0L);
+
+ IamAuthenticator authenticator = new IamAuthenticator.Builder()
+ .apikey(API_KEY)
+ .url(url)
+ .build();
+
+ Request.Builder requestBuilder = new Request.Builder().url("https://test.com");
+
+ // This will bootstrap the test by forcing the Authenticator to store the first access token (tokenData).
+ authenticator.authenticate(requestBuilder);
+
+ // Now set the mock time to put us in the "refresh window" where the token is not expired,
+ // but still needs to be refreshed.
+ long refreshWindow = (long) (tokenData.getExpiresIn() * 0.2);
+ long refreshTime = tokenData.getExpiration() - refreshWindow;
+ clockMock.when(() -> Clock.getCurrentTimeInSeconds()).thenReturn(refreshTime + 2L);
+
  // Authenticator should detect the need to refresh and request a new access token IN THE BACKGROUND when we call
  // authenticate() again. The immediate response should be the token which was already stored, since it's not yet
  // expired.
@@ -391,7 +440,11 @@ public void testUserHeaders() throws Throwable {
  headers.put("header1", "value1");
  headers.put("header2", "value2");
  headers.put("Host", "iam.cloud.ibm.com:81");
- IamAuthenticator authenticator = new IamAuthenticator(API_KEY, url, null, null, false, headers);
+ IamAuthenticator authenticator = new IamAuthenticator.Builder()
+ .apikey(API_KEY)
+ .url(url)
+ .headers(headers)
+ .build();
 
  Request.Builder requestBuilder = new Request.Builder().url("https://test.com");
 

src/test/resources/iam_token.json

@@ -3,5 +3,5 @@
  "refresh_token": "00000000",
  "token_type": "Bearer",
  "expires_in": 3600,
- "expiration": 1522788645
+ "expiration": 1600000000
 }

src/test/resources/refreshed_iam_token.json

@@ -3,5 +3,5 @@
  "refresh_token": "00000000",
  "token_type": "Bearer",
  "expires_in": 3600,
- "expiration": 1999999999
+ "expiration": 1600003600
 }