Skip to content

Fix the token expiration logic in SR Oauth #2177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fangnx wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix the token expiration logic in SR Oauth #2177

fangnx wants to merge 1 commit into from

Conversation

@fangnx
Copy link
Member

@fangnx fangnx commented Jan 20, 2026

What

Checklist

  • Contains customer facing changes? Including API/behavior changes
  • Did you add sufficient unit test and/or integration test coverage for this PR?
    • If not, please explain why it is not required

References

JIRA:

Test & Review

Open questions / Follow-ups

@fangnx fangnx requested review from a team and MSeal as code owners January 20, 2026 20:04
Copilot AI review requested due to automatic review settings January 20, 2026 20:04
@confluent-cla-assistant
Copy link

confluent-cla-assistant bot commented Jan 20, 2026

🎉 All Contributor License Agreements have been signed. Ready to merge.
Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.

Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a critical bug in the token expiration logic for Schema Registry OAuth authentication. The previous implementation incorrectly calculated when tokens should be refreshed, causing them to be refreshed much earlier than intended.

Changes:

  • Fixed the token expiration calculation to properly compute the refresh buffer as expires_in * (1 - token_expiry_threshold) instead of expires_in * token_expiry_threshold
  • Applied the fix consistently to both sync and async implementations
  • Improved variable naming from expiry_window to refresh_buffer for better clarity

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/confluent_kafka/schema_registry/_sync/schema_registry_client.py Fixed token expiration logic in the synchronous OAuth client to correctly calculate when tokens need refreshing
src/confluent_kafka/schema_registry/_async/schema_registry_client.py Fixed token expiration logic in the asynchronous OAuth client to correctly calculate when tokens need refreshing

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/confluent_kafka/schema_registry/_sync/schema_registry_client.py
Comment on lines +125 to +126
refresh_buffer = self.token['expires_in'] * (1 - self.token_expiry_threshold)
return self.token['expires_at'] < time.time() + refresh_buffer
Copy link

Copilot AI Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The existing test case test_expiry() in tests/schema_registry/_sync/test_bearer_field_provider.py (and the async equivalent) will fail with this fix because it uses inconsistent test data. The test sets expires_at = time.time() + 2 and expires_in = 1, which doesn't match real OAuth token behavior where expires_at should be approximately current_time + expires_in. The test needs to be updated to use consistent values, for example: {'expires_at': time.time() + 1, 'expires_in': 1} or adjust the sleep duration and assertions accordingly.

Copilot uses AI. Check for mistakes.
src/confluent_kafka/schema_registry/_async/schema_registry_client.py
Comment on lines +125 to +126
refresh_buffer = self.token['expires_in'] * (1 - self.token_expiry_threshold)
return self.token['expires_at'] < time.time() + refresh_buffer
Copy link

Copilot AI Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The existing test case test_expiry() in tests/schema_registry/_async/test_bearer_field_provider.py will fail with this fix because it uses inconsistent test data. The test sets expires_at = time.time() + 2 and expires_in = 1, which doesn't match real OAuth token behavior where expires_at should be approximately current_time + expires_in. The test needs to be updated to use consistent values, for example: {'expires_at': time.time() + 1, 'expires_in': 1} or adjust the sleep duration and assertions accordingly.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MSeal MSeal Awaiting requested review from MSeal MSeal is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fangnx