Tweak access token refresh time

There's a very rare error where our access token is denied by GAE which happens a couple of seconds a day (if it happens at all). There doesn't seem to be anything wrong on our side, it could be just that the OAuth server is flaky. But to be safe, the refresh period is shortened. Also added logging to confirm what is refreshed. Note that the logging is at FINE leve, which only actually write to the logs in non-production environment.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=208823699

java/google/registry/proxy/ProxyModule.java

@@ -29,6 +29,7 @@ import com.google.api.services.cloudkms.v1.model.DecryptRequest;
 import com.google.api.services.storage.Storage;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Maps;
+import com.google.common.flogger.FluentLogger;
 import com.google.common.flogger.LoggerConfig;
 import com.google.monitoring.metrics.MetricReporter;
 import dagger.Component;
@@ -71,6 +72,8 @@ import javax.inject.Singleton;
 @Module
 public class ProxyModule {
 
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
   @Parameter(names = "--whois", description = "Port for WHOIS")
   private Integer whoisPort;
 
@@ -130,6 +133,8 @@ public class ProxyModule {
       // Log source IP information if --log parameter is passed. This is considered PII and should
       // only be used in non-production environment for debugging purpose.
       LoggerConfig.getConfig(ProxyProtocolHandler.class).setLevel(Level.FINE);
+      // Log at debug level what is the refreshed access token.
+      LoggerConfig.getConfig(ProxyModule.class).setLevel(Level.FINE);
     }
   }
 
@@ -236,7 +241,10 @@ public class ProxyModule {
           } catch (IOException e) {
             throw new RuntimeException("Cannot refresh access token.", e);
           }
-          return credential.getAccessToken();
+          // TODO (jianglai): Remove access token refresh logging.
+          String token = credential.getAccessToken();
+          logger.atFine().log("Access token refreshed: %s", token);
+          return token;
         },
         config.accessTokenValidPeriodSeconds - config.accessTokenRefreshBeforeExpirySeconds,
         SECONDS);

java/google/registry/proxy/config/default-config.yaml

@@ -20,15 +20,17 @@ gcpScopes:
   # to authenticate.
   - https://www.googleapis.com/auth/userinfo.email
 
-# Access token is valid for 30 minutes.
+# Access token is valid for 10 minutes.
 #
 # Document says that the token should be good for 60 minutes, but in practice
 # we've run into problems with token becoming invalid before supposed expiration
-# time. 30 minutes seems to be a good compromise which guarantees token validity
+# time. This used to be set to 30 min but we still observe very rare occurrence
-# without making many more API calls to the OAuth server.
+# of INVALID_TOKEN response (not even EXPIRED_TOKEN, which is also a possible
+# response). Set it to 10 minutes so that the tokens can be refreshed more
+# frequently.
 # See also: Data store
 # (https://developers.google.com/api-client-library/java/google-api-java-client/oauth2#data_store).
-accessTokenValidPeriodSeconds: 1800
+accessTokenValidPeriodSeconds: 600
 
 # Access token is refreshed 1 minutes before expiry.
 #