Summary
Concurrent calls into Credentials.getAccessTokenHeader() can trigger multiple simultaneous token refresh requests when no cached token is available (or token is expired).
Impact
This creates a thundering herd against the token issuer and can cause unnecessary rate limiting or quota consumption.
Expected
Concurrent callers should await the same in-flight refresh promise so only one token exchange request is sent.
Proposed Fix
Add an internal refresh lock/promise cache (e.g., refreshPromise) and reuse it across concurrent callers.
Summary
Concurrent calls into
Credentials.getAccessTokenHeader()can trigger multiple simultaneous token refresh requests when no cached token is available (or token is expired).Impact
This creates a thundering herd against the token issuer and can cause unnecessary rate limiting or quota consumption.
Expected
Concurrent callers should await the same in-flight refresh promise so only one token exchange request is sent.
Proposed Fix
Add an internal refresh lock/promise cache (e.g.,
refreshPromise) and reuse it across concurrent callers.