fix: back off failed OIDC refresh attempts

Author: leavesster

src/credentials.ts

@@ -5,6 +5,7 @@ import ky from "ky";
 
 const DEFAULT_STS_ENDPOINT = "sts.aliyuncs.com";
 const DEFAULT_REFRESH_BEFORE_EXPIRATION_SECONDS = 300;
+const DEFAULT_REFRESH_FAILURE_BACKOFF_SECONDS = 60;
 const DEFAULT_REQUEST_TIMEOUT = 30000;
 const DEFAULT_ROLE_SESSION_NAME = "alicloud-tablestore";
 
@@ -18,6 +19,7 @@ export interface OIDCCredentialProviderConfig {
     durationSeconds?: number;
     stsEndpoint?: string;
     refreshBeforeExpirationSeconds?: number;
+    refreshFailureBackoffSeconds?: number;
     requestTimeout?: number;
 }
 
@@ -39,6 +41,7 @@ interface OIDCCredentials extends Credentials {
 
 export class OIDCCredentialProvider {
     private credentials: OIDCCredentials | null = null;
+    private refreshBlockedUntil = 0;
     private refreshPromise: Promise<Credentials> | null = null;
 
     public constructor(private readonly config: OIDCCredentialProviderConfig) {
@@ -49,6 +52,10 @@ export class OIDCCredentialProvider {
             return this.credentials;
         }
 
+        if (this.credentials && !this.isExpired(this.credentials) && this.refreshBlockedUntil > Date.now()) {
+            return this.credentials;
+        }
+
         if (!this.refreshPromise) {
             this.refreshPromise = this.refresh();
         }
@@ -58,6 +65,7 @@ export class OIDCCredentialProvider {
         }
         catch (error) {
             if (this.credentials && !this.isExpired(this.credentials)) {
+                this.refreshBlockedUntil = Date.now() + this.getRefreshFailureBackoffMilliseconds();
                 return this.credentials;
             }
 
@@ -121,6 +129,7 @@ export class OIDCCredentialProvider {
             expiration,
             stsToken: credentials.SecurityToken,
         };
+        this.refreshBlockedUntil = 0;
 
         return this.credentials;
     }
@@ -148,6 +157,13 @@ export class OIDCCredentialProvider {
     private isExpired(credentials: OIDCCredentials): boolean {
         return credentials.expiration.getTime() <= Date.now();
     }
+
+    private getRefreshFailureBackoffMilliseconds(): number {
+        return Math.max(
+            0,
+            this.config.refreshFailureBackoffSeconds ?? DEFAULT_REFRESH_FAILURE_BACKOFF_SECONDS,
+        ) * 1000;
+    }
 }
 
 export function createOIDCCredentialProvider(config: OIDCCredentialProviderConfig): CredentialProvider {
@@ -199,11 +215,15 @@ function parseSTSResponse(text: string): AssumeRoleWithOIDCResponse {
 }
 
 function getSTSEndpointURL(endpoint = DEFAULT_STS_ENDPOINT): string {
-    if (endpoint.startsWith("http://") || endpoint.startsWith("https://")) {
-        return endpoint.endsWith("/") ? endpoint : `${endpoint}/`;
+    const url = new URL(endpoint.startsWith("http://") || endpoint.startsWith("https://")
+        ? endpoint
+        : `https://${endpoint}`);
+
+    if (!url.pathname.endsWith("/")) {
+        url.pathname = `${url.pathname}/`;
     }
 
-    return `https://${endpoint}/`;
+    return url.toString();
 }
 
 function formatSTSError(status: number, statusText: string, data: AssumeRoleWithOIDCResponse): string {

test/credentials.test.ts

@@ -4,8 +4,10 @@ import { createOIDCCredentialProvider } from "../src/credentials";
 describe("OIDC credential provider", () => {
     test("exchanges an OIDC token for STS credentials", async () => {
         const requests: URLSearchParams[] = [];
-        const restoreFetch = mockSTSFetch((params) => {
+        const urls: string[] = [];
+        const restoreFetch = mockSTSFetch((params, request) => {
             requests.push(params);
+            urls.push(request.url);
             return createSTSResponse({
                 accessKeyID: "access-key-id",
                 accessKeySecret: "access-key-secret",
@@ -24,7 +26,7 @@ describe("OIDC credential provider", () => {
                 }),
                 roleArn: "acs:ram::1234567890123456:role/example",
                 roleSessionName: "tablestore-test",
-                stsEndpoint: "https://sts.example.com",
+                stsEndpoint: "https://sts.example.com?source=test",
             });
 
             const credentials = await credentialProvider();
@@ -36,6 +38,7 @@ describe("OIDC credential provider", () => {
                 stsToken: "security-token",
             });
             expect(requests).toHaveLength(1);
+            expect(urls).toEqual(["https://sts.example.com/?source=test"]);
             expect(requests[0]!.get("Action")).toBe("AssumeRoleWithOIDC");
             expect(requests[0]!.get("Version")).toBe("2015-04-01");
             expect(requests[0]!.get("OIDCToken")).toBe("oidc-token");
@@ -150,11 +153,13 @@ describe("OIDC credential provider", () => {
 
             const first = await credentialProvider();
             const fallback = await credentialProvider();
+            const backedOff = await credentialProvider();
 
             expect(hits).toBe(2);
             expect(first.accessKeyID).toBe("access-key-id");
             expect(fallback.accessKeyID).toBe("access-key-id");
             expect(fallback.stsToken).toBe("security-token");
+            expect(backedOff.accessKeyID).toBe("access-key-id");
         }
         finally {
             restoreFetch();
@@ -169,12 +174,12 @@ interface STSResponseOptions {
     stsToken: string;
 }
 
-function mockSTSFetch(handler: (params: URLSearchParams) => unknown | Promise<unknown>): () => void {
+function mockSTSFetch(handler: (params: URLSearchParams, request: Request) => unknown | Promise<unknown>): () => void {
     const originalFetch = globalThis.fetch;
     globalThis.fetch = (async (input, init) => {
         const request = input instanceof Request ? input : new Request(String(input), init);
         const params = new URLSearchParams(await request.text());
-        return Response.json(await handler(params));
+        return Response.json(await handler(params, request));
     }) as typeof fetch;
 
     return () => {