Allow configurable OAuth expiry margins#861
Merged
Merged
Conversation
added 2 commits
July 10, 2026 23:07
Expose `expiry_margin` across request-based OAuth helpers and increase the default safety margin from 5 to 30 seconds. Preserve the normal refresh-token path while allowing clients to accommodate servers that reject near-expiry tokens. Fixes r-lib#860.
Accept the hash changes produced by rlang 1.3.0 in the current CI environment.
Contributor
Author
|
Updated the snapshots for
The full local test suite now passes. |
Contributor
Author
|
Should |
zacdav-db
marked this pull request as ready for review
July 10, 2026 13:49
Member
|
Yeah, it should. Let me fix the hashes in a separate PR. |
Member
|
Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
expiry_marginto the request-basedreq_oauth_*()helpers.Motivation
Some resource servers reject tokens shortly before their stated expiry. Databricks, for example, returns HTTP 403 when a token has 30 seconds or less remaining and does not send the RFC 6750
WWW-Authenticate: error="invalid_token"challenge that triggers httr2 automatic reauthentication.A configurable margin lets clients add provider-specific headroom without inspecting or clearing httr2 private cache state. The 30-second default follows the direction discussed in #860; clients can select a larger value when they need additional clock-skew tolerance.
Fixes #860.
Validation
devtools::test(filter = "^oauth"): 116 passed, 1 credential-gated test skipped.devtools::test()withrlang1.3.0: 1,300 passed, 2 credential-gated tests skipped.pkgdown::check_pkgdown(): no problems found locally.devtools::check(): 0 errors, 0 warnings, 1 environment-only note (unable to verify current time).