wisedev-code
diff --git a/‎Examples/Examples/Chat/ChatExampleVertex.cs‎
Lines changed: 2 additions & 14 deletions b/‎Examples/Examples/Chat/ChatExampleVertex.cs‎
Lines changed: 2 additions & 14 deletions
diff --git a/‎Examples/Examples/Utils/VertexExample.cs‎
Lines changed: 22 additions & 0 deletions b/‎Examples/Examples/Utils/VertexExample.cs‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎src/MaIN.InferPage/.claude/settings.local.json‎
Lines changed: 0 additions & 12 deletions b/‎src/MaIN.InferPage/.claude/settings.local.json‎
Lines changed: 0 additions & 12 deletions
diff --git a/‎src/MaIN.Services/Services/LLMService/Auth/GoogleServiceAccountTokenProvider.cs‎
Lines changed: 27 additions & 20 deletions b/‎src/MaIN.Services/Services/LLMService/Auth/GoogleServiceAccountTokenProvider.cs‎
Lines changed: 27 additions & 20 deletions
@@ -1,8 +1,6 @@
-using MaIN.Core;
+using Examples.Utils;
 using MaIN.Core.Hub;
-using MaIN.Domain.Configuration;
 using MaIN.Domain.Configuration.BackendInferenceParams;
-using MaIN.Domain.Configuration.Vertex;
 using MaIN.Domain.Models;
 
 namespace Examples.Chat;
@@ -11,17 +9,7 @@ public class ChatExampleVertex : IExample
 {
     public async Task Start()
     {
-        MaINBootstrapper.Initialize(configureSettings: options =>
-        {
-            options.BackendType = BackendType.Vertex;
-            options.GoogleServiceAccountAuth = new GoogleServiceAccountConfig
-            {
-                ProjectId   = "<YOUR_GCP_PROJECT_ID>",
-                ClientEmail = "<YOUR_SERVICE_ACCOUNT_EMAIL>",
-                PrivateKey  = "<YOUR_PRIVATE_KEY>"
-            };
-        });
-
+        VertexExample.Setup(); //We need to provide Google service account config 
         Console.WriteLine("(Vertex AI) ChatExample is running!");
 
         await AIHub.Chat()
 
@@ -0,0 +1,22 @@
+using MaIN.Core;
+using MaIN.Domain.Configuration;
+using MaIN.Domain.Configuration.Vertex;
+
+namespace Examples.Utils;
+
+public class VertexExample
+{
+    public static void Setup()
+    {
+        MaINBootstrapper.Initialize(configureSettings: options =>
+        {
+            options.BackendType = BackendType.Vertex;
+            options.GoogleServiceAccountAuth = new GoogleServiceAccountConfig
+            {
+                ProjectId = "<YOUR_GCP_PROJECT_ID>",
+                ClientEmail = "<YOUR_SERVICE_ACCOUNT_EMAIL>",
+                PrivateKey = @"<YOUR_PRIVATE_KEY>"
+            };
+        });
+    }
+}
@@ -1,12 +1,13 @@
+using System.Collections.Concurrent;
+using System.Net.Http.Json;
 using System.Security.Cryptography;
 using System.Text;
-using System.Text.Json;
 using System.Text.Json.Serialization;
 using MaIN.Domain.Configuration.Vertex;
 
 namespace MaIN.Services.Services.LLMService.Auth;
 
-internal sealed class GoogleServiceAccountTokenProvider
+internal sealed class GoogleServiceAccountTokenProvider : IDisposable
 {
     private const string Scope = "https://www.googleapis.com/auth/cloud-platform";
     private const int TokenLifetimeSeconds = 3600;
@@ -15,9 +16,8 @@ internal sealed class GoogleServiceAccountTokenProvider
     private readonly GoogleServiceAccountConfig _config;
     private readonly RSA _rsa;
 
-    // Static cache shared across all VertexService instances (keyed by ClientEmail)
-    private static readonly System.Collections.Concurrent.ConcurrentDictionary<string, CachedToken> _tokenCache = new();
-    private static readonly SemaphoreSlim _refreshLock = new(1, 1);
+    private static readonly ConcurrentDictionary<string, CachedToken> TokenCache = new();
+    private static readonly ConcurrentDictionary<string, SemaphoreSlim> RefreshLocks = new();
 
     public GoogleServiceAccountTokenProvider(GoogleServiceAccountConfig config)
     {
@@ -28,45 +28,46 @@ public GoogleServiceAccountTokenProvider(GoogleServiceAccountConfig config)
 
     public async Task<string> GetAccessTokenAsync(HttpClient httpClient)
     {
-        if (_tokenCache.TryGetValue(_config.ClientEmail, out var cached) && DateTime.UtcNow < cached.Expiry)
+        var email = _config.ClientEmail;
+
+        if (TokenCache.TryGetValue(email, out var cached) && !cached.IsExpired)
             return cached.Token;
 
-        await _refreshLock.WaitAsync();
+        var refreshLock = RefreshLocks.GetOrAdd(email, _ => new SemaphoreSlim(1, 1));
+        await refreshLock.WaitAsync();
         try
         {
             // Double-check after acquiring lock
-            if (_tokenCache.TryGetValue(_config.ClientEmail, out cached) && DateTime.UtcNow < cached.Expiry)
+            if (TokenCache.TryGetValue(email, out cached) && !cached.IsExpired)
                 return cached.Token;
 
             var jwt = BuildSignedJwt();
             var token = await ExchangeJwtForTokenAsync(httpClient, jwt);
 
             var accessToken = token.AccessToken
-                              ?? throw new InvalidOperationException("Token response missing access_token.");
+                              ?? throw new InvalidOperationException("Vertex AI token response missing access_token.");
             var expiry = DateTime.UtcNow.AddSeconds(token.ExpiresIn).AddMinutes(-RefreshBufferMinutes);
 
-            _tokenCache[_config.ClientEmail] = new CachedToken(accessToken, expiry);
+            TokenCache[email] = new CachedToken(accessToken, expiry);
             return accessToken;
         }
         finally
         {
-            _refreshLock.Release();
+            refreshLock.Release();
         }
     }
 
-    private sealed record CachedToken(string Token, DateTime Expiry);
-
     private string BuildSignedJwt()
     {
         var now = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
 
-        var header = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(new
+        var header = Base64UrlEncode(System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(new
         {
             alg = "RS256",
             typ = "JWT"
         }));
 
-        var payload = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(new
+        var payload = Base64UrlEncode(System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(new
         {
             iss = _config.ClientEmail,
             scope = Scope,
@@ -81,15 +82,15 @@ private string BuildSignedJwt()
         return $"{header}.{payload}.{Base64UrlEncode(signature)}";
     }
 
-    private async Task<TokenResponse> ExchangeJwtForTokenAsync(HttpClient httpClient, string jwt)
+    private static async Task<TokenResponse> ExchangeJwtForTokenAsync(HttpClient httpClient, string jwt)
     {
-        var content = new FormUrlEncodedContent(new Dictionary<string, string>
+        using var content = new FormUrlEncodedContent(new Dictionary<string, string>
         {
             ["grant_type"] = "urn:ietf:params:oauth:grant-type:jwt-bearer",
             ["assertion"] = jwt
         });
 
-        using var response = await httpClient.PostAsync(_config.TokenUri, content);
+        using var response = await httpClient.PostAsync("https://oauth2.googleapis.com/token", content);
 
         if (!response.IsSuccessStatusCode)
         {
@@ -98,14 +99,20 @@ private async Task<TokenResponse> ExchangeJwtForTokenAsync(HttpClient httpClient
                 $"Vertex AI token exchange failed ({response.StatusCode}): {error}");
         }
 
-        var json = await response.Content.ReadAsStringAsync();
-        return JsonSerializer.Deserialize<TokenResponse>(json)
+        return await response.Content.ReadFromJsonAsync<TokenResponse>()
                ?? throw new InvalidOperationException("Failed to parse Vertex AI token response.");
     }
 
+    public void Dispose() => _rsa.Dispose();
+
     private static string Base64UrlEncode(byte[] data)
         => Convert.ToBase64String(data).TrimEnd('=').Replace('+', '-').Replace('/', '_');
 
+    private sealed record CachedToken(string Token, DateTime Expiry)
+    {
+        public bool IsExpired => DateTime.UtcNow >= Expiry;
+    }
+
     private sealed class TokenResponse
     {
         [JsonPropertyName("access_token")] public string? AccessToken { get; set; }