fix: do not exceed lifetime of access token in cache

pvbouwel · pvbouwel · commit e2c288570ae4 · 2026-03-31T08:03:03.000+02:00
diff --git a/openeo_driver/util/auth.py b/openeo_driver/util/auth.py
@@ -6,7 +6,12 @@
 from typing import Mapping, NamedTuple, Optional, Union
 
 import requests
-from openeo.rest.auth.oidc import OidcClientCredentialsAuthenticator, OidcClientInfo, OidcProviderInfo
+from openeo.rest.auth.oidc import (
+    OidcClientCredentialsAuthenticator,
+    OidcClientInfo,
+    OidcProviderInfo,
+    AccessTokenResult,
+)
 from openeo.util import str_truncate
 
 _log = logging.getLogger(__name__)
@@ -116,18 +121,25 @@ def setup_credentials(self, credentials: ClientCredentials) -> None:
             client_info=client_info, requests_session=self._session
         )
 
-    def _get_access_token(self) -> str:
+    def _get_access_token(self) -> AccessTokenResult:
         """Get an access token using the configured authenticator."""
         if not self._authenticator:
             raise RuntimeError("No authentication set up")
         _log.debug(f"{self.__class__.__name__} getting access token")
-        tokens = self._authenticator.get_tokens()
-        return tokens.access_token
+        access_token_response = self._authenticator.get_tokens()
+        return access_token_response
 
     def get_access_token(self) -> str:
         """Get an access token using the configured authenticator."""
         if time.time() > self._cache.expires_at:
-            access_token = self._get_access_token()
-            # TODO: get expiry from access token itself?
-            self._cache = _AccessTokenCache(access_token, time.time() + self._default_ttl)
+            access_token_response = self._get_access_token()
+            access_token = access_token_response.access_token
+            self._cache = _AccessTokenCache(access_token, self._get_access_token_expiry_time(access_token_response))
         return self._cache.access_token
+
+    def _get_access_token_expiry_time(self, access_token_response: AccessTokenResult) -> float:
+        if access_token_response.expires_in is None:
+            return time.time() + self._default_ttl
+        else:
+            # Expire the cache entry before the entry actually expires
+            return time.time() + access_token_response.expires_in * 0.90
