Skip to content

Allow configurable OAuth expiry margins#861

Merged
hadley merged 4 commits into
r-lib:mainfrom
zacdav-db:agent/oauth-expiry-margin
Jul 10, 2026
Merged

Allow configurable OAuth expiry margins#861
hadley merged 4 commits into
r-lib:mainfrom
zacdav-db:agent/oauth-expiry-margin

Conversation

@zacdav-db

@zacdav-db zacdav-db commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add expiry_margin to the request-based req_oauth_*() helpers.
  • Increase the default OAuth expiry margin from 5 to 30 seconds.
  • Pass the margin through the existing expiry and refresh path, preserving refresh-token behavior.

Motivation

Some resource servers reject tokens shortly before their stated expiry. Databricks, for example, returns HTTP 403 when a token has 30 seconds or less remaining and does not send the RFC 6750 WWW-Authenticate: error="invalid_token" challenge that triggers httr2 automatic reauthentication.

A configurable margin lets clients add provider-specific headroom without inspecting or clearing httr2 private cache state. The 30-second default follows the direction discussed in #860; clients can select a larger value when they need additional clock-skew tolerance.

Fixes #860.

Validation

  • devtools::test(filter = "^oauth"): 116 passed, 1 credential-gated test skipped.
  • devtools::test() with rlang 1.3.0: 1,300 passed, 2 credential-gated tests skipped.
  • CI-generated hash snapshots from run 29094916404 were reviewed and accepted.
  • pkgdown::check_pkgdown(): no problems found locally.
  • devtools::check(): 0 errors, 0 warnings, 1 environment-only note (unable to verify current time).

Zac Davies added 2 commits July 10, 2026 23:07
Expose `expiry_margin` across request-based OAuth helpers and increase the default safety margin from 5 to 30 seconds.

Preserve the normal refresh-token path while allowing clients to accommodate servers that reject near-expiry tokens.

Fixes r-lib#860.
Accept the hash changes produced by rlang 1.3.0 in the current CI environment.
@zacdav-db

zacdav-db commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Updated the snapshots for rlang 1.3.0 in 6f7b415.

  • Downloaded and reviewed the snapshots from the failing CI run.
  • Confirmed the four changes were expected hash-only updates.
  • Accepted them with testthat::snapshot_accept().

The full local test suite now passes.

@zacdav-db

Copy link
Copy Markdown
Contributor Author

Should oauth_token_cached() also gain an expiry_margin argument for consistency? It uses the same cached-token logic and inherits the new 30-second default, but callers currently cannot override it.

@zacdav-db
zacdav-db marked this pull request as ready for review July 10, 2026 13:49
@hadley

hadley commented Jul 10, 2026

Copy link
Copy Markdown
Member

Yeah, it should. Let me fix the hashes in a separate PR.

@hadley
hadley merged commit 981db5f into r-lib:main Jul 10, 2026
13 checks passed
@hadley

hadley commented Jul 10, 2026

Copy link
Copy Markdown
Member

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Allow configuring when OAuth tokens are treated as expired

2 participants