From d878f4ba2d86453687499730c9d640604bed4f47 Mon Sep 17 00:00:00 2001 From: jianglai Date: Wed, 15 Aug 2018 08:32:42 -0700 Subject: [PATCH] Tweak access token refresh time There's a very rare error where our access token is denied by GAE which happens a couple of seconds a day (if it happens at all). There doesn't seem to be anything wrong on our side, it could be just that the OAuth server is flaky. But to be safe, the refresh period is shortened. Also added logging to confirm what is refreshed. Note that the logging is at FINE leve, which only actually write to the logs in non-production environment. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=208823699 --- java/google/registry/proxy/ProxyModule.java | 10 +++++++++- java/google/registry/proxy/config/default-config.yaml | 10 ++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/java/google/registry/proxy/ProxyModule.java b/java/google/registry/proxy/ProxyModule.java index 9c6efbb29..6e8cd5bb2 100644 --- a/java/google/registry/proxy/ProxyModule.java +++ b/java/google/registry/proxy/ProxyModule.java @@ -29,6 +29,7 @@ import com.google.api.services.cloudkms.v1.model.DecryptRequest; import com.google.api.services.storage.Storage; import com.google.common.collect.ImmutableMap; import com.google.common.collect.Maps; +import com.google.common.flogger.FluentLogger; import com.google.common.flogger.LoggerConfig; import com.google.monitoring.metrics.MetricReporter; import dagger.Component; @@ -71,6 +72,8 @@ import javax.inject.Singleton; @Module public class ProxyModule { + private static final FluentLogger logger = FluentLogger.forEnclosingClass(); + @Parameter(names = "--whois", description = "Port for WHOIS") private Integer whoisPort; @@ -130,6 +133,8 @@ public class ProxyModule { // Log source IP information if --log parameter is passed. This is considered PII and should // only be used in non-production environment for debugging purpose. LoggerConfig.getConfig(ProxyProtocolHandler.class).setLevel(Level.FINE); + // Log at debug level what is the refreshed access token. + LoggerConfig.getConfig(ProxyModule.class).setLevel(Level.FINE); } } @@ -236,7 +241,10 @@ public class ProxyModule { } catch (IOException e) { throw new RuntimeException("Cannot refresh access token.", e); } - return credential.getAccessToken(); + // TODO (jianglai): Remove access token refresh logging. + String token = credential.getAccessToken(); + logger.atFine().log("Access token refreshed: %s", token); + return token; }, config.accessTokenValidPeriodSeconds - config.accessTokenRefreshBeforeExpirySeconds, SECONDS); diff --git a/java/google/registry/proxy/config/default-config.yaml b/java/google/registry/proxy/config/default-config.yaml index 32fb6f9c1..893f1edeb 100644 --- a/java/google/registry/proxy/config/default-config.yaml +++ b/java/google/registry/proxy/config/default-config.yaml @@ -20,15 +20,17 @@ gcpScopes: # to authenticate. - https://www.googleapis.com/auth/userinfo.email -# Access token is valid for 30 minutes. +# Access token is valid for 10 minutes. # # Document says that the token should be good for 60 minutes, but in practice # we've run into problems with token becoming invalid before supposed expiration -# time. 30 minutes seems to be a good compromise which guarantees token validity -# without making many more API calls to the OAuth server. +# time. This used to be set to 30 min but we still observe very rare occurrence +# of INVALID_TOKEN response (not even EXPIRED_TOKEN, which is also a possible +# response). Set it to 10 minutes so that the tokens can be refreshed more +# frequently. # See also: Data store # (https://developers.google.com/api-client-library/java/google-api-java-client/oauth2#data_store). -accessTokenValidPeriodSeconds: 1800 +accessTokenValidPeriodSeconds: 600 # Access token is refreshed 1 minutes before expiry. #