databricks · renaudhartert-db · Mar 22, 2026 · Mar 21, 2026 · Mar 22, 2026 · Mar 22, 2026
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -8,6 +8,8 @@
 
 ### Bug Fixes
 
+ * Disable async token refresh for GCP credential providers to avoid wasted refresh attempts caused by double-caching with Google's internal `oauth2.ReuseTokenSource` ([#1549](https://github.com/databricks/databricks-sdk-go/issues/1549)).
+
 ### Documentation
 
 ### Internal Changes

diff --git a/config/auth_gcp_google_credentials.go b/config/auth_gcp_google_credentials.go
@@ -7,6 +7,7 @@ import (
 	"os"
 
 	"github.com/databricks/databricks-sdk-go/config/credentials"
+	"github.com/databricks/databricks-sdk-go/config/experimental/auth"
 	"github.com/databricks/databricks-sdk-go/logger"
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/idtoken"
@@ -41,8 +42,15 @@ func (c GoogleCredentials) Configure(ctx context.Context, cfg *Config) (credenti
 	if err != nil {
 		return nil, fmt.Errorf("could not obtain OAuth2 token from JSON: %w", err)
 	}
+	// Disable async token refresh. Google's token sources cache tokens
+	// internally via oauth2.ReuseTokenSource, and there is no way to
+	// bypass this caching for unexported token source types. Async
+	// refresh would be unnecessary work since Google's cache already
+	// handles token renewal.
+	opts := append(cacheOptions(cfg), auth.WithAsyncRefresh(false))
+
 	logger.Infof(ctx, "Using Google Credentials")
-	visitor := serviceToServiceVisitor(inner, creds.TokenSource, "X-Databricks-GCP-SA-Access-Token", true, cacheOptions(cfg)...)
+	visitor := serviceToServiceVisitor(inner, creds.TokenSource, "X-Databricks-GCP-SA-Access-Token", true, opts...)
 	return credentials.NewOAuthCredentialsProvider(visitor, inner.Token), nil
 }
 

diff --git a/config/auth_gcp_google_id.go b/config/auth_gcp_google_id.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/databricks/databricks-sdk-go/config/credentials"
+	"github.com/databricks/databricks-sdk-go/config/experimental/auth"
 	"github.com/databricks/databricks-sdk-go/logger"
 	"golang.org/x/oauth2"
 	"google.golang.org/api/impersonate"
@@ -28,7 +29,14 @@ func (c GoogleDefaultCredentials) Configure(ctx context.Context, cfg *Config) (c
 	if err != nil {
 		return nil, err
 	}
-	opts := cacheOptions(cfg)
+
+	// Disable async token refresh. Google's token sources cache tokens
+	// internally via oauth2.ReuseTokenSource, and there is no way to
+	// bypass this caching for unexported token source types. Async
+	// refresh would be unnecessary work since Google's cache already
+	// handles token renewal.
+	opts := append(cacheOptions(cfg), auth.WithAsyncRefresh(false))
+
 	// Always attempt to create SA token source for the secondary header.
 	// If it fails, fall back to refreshableVisitor with a warning.
 	platform, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{