Skip to content

[Credentials Cache PR 5] Add IdentityProvider.invalidate#7108

Open
alextwoods wants to merge 9 commits into
feature/master/credential_cachefrom
alexwoo/credential_cache_invalidate
Open

[Credentials Cache PR 5] Add IdentityProvider.invalidate#7108
alextwoods wants to merge 9 commits into
feature/master/credential_cachefrom
alexwoo/credential_cache_invalidate

Conversation

@alextwoods

@alextwoods alextwoods commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This PR merges to feature/master/credential_cache, NOT to master
[Credentials Cache PR 5]

Motivation and Context

Add invalidate() method to IdentityProvider interface returning CompletableFuture to allow the SDK to signal providers to mark cached credentials for refresh when target services reject them with ExpiredToken, InvalidToken, or AuthFailure errors.

Modifications

Key changes:

  • IdentityProvider: async invalidate(IdentityT) default method
  • SelectedAuthScheme: carry identityProvider reference (add new builder since we now have 4 args)
  • AuthSchemeResolver: pass identityProvider when constructing SelectedAuthScheme
  • AuthErrorInvalidationHelper: detect auth errors and trigger invalidation
  • CachedSupplier: invalidate(Predicate) + nextAllowedRefreshTime backoff
  • All caching providers: invalidate with accessKeyId matching
  • All delegating providers: forward invalidate to delegate
  • EndpointResolverUtilsSpec: propagate identityProvider in codegen

Testing

new and existing tests.

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • [] I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

…validation

Add invalidate() method to IdentityProvider interface returning
CompletableFuture<Void> to allow the SDK to signal providers to mark
cached credentials for refresh when target services reject them with
ExpiredToken, InvalidToken, or AuthFailure errors.

Key changes:
- IdentityProvider: async invalidate(IdentityT) default method
- SelectedAuthScheme: carry identityProvider reference (4-arg constructor)
- AuthSchemeResolver: pass identityProvider when constructing SelectedAuthScheme
- AuthErrorInvalidationHelper: detect auth errors and trigger invalidation
- CachedSupplier: invalidate(Predicate) + nextAllowedRefreshTime backoff
- All caching providers: invalidate with accessKeyId matching
- All delegating providers: forward invalidate to delegate
- EndpointResolverUtilsSpec: propagate identityProvider in codegen
@alextwoods alextwoods requested a review from a team as a code owner July 7, 2026 20:00
@alextwoods alextwoods mentioned this pull request Jul 7, 2026
12 tasks
@alextwoods alextwoods force-pushed the alexwoo/credential_cache_invalidate branch from e3d6466 to 192c33f Compare July 9, 2026 18:20
@alextwoods alextwoods added the api-surface-area-approved-by-team Indicate API surface area introduced by this PR has been approved by team label Jul 9, 2026
@Override
public CompletableFuture<Void> invalidate(AwsCredentialsIdentity identity) {
String rejectedAccessKeyId = identity.accessKeyId();
return CompletableFuture.runAsync(() ->

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CompletableFuture.runAsync runs by ForkJoinPool.commonPool() by default and the default number of threads equals to Runtime.getRuntime().availableProcessors() - 1. Since this invalidate is basically sync operation, so it may not matter even for tiny instances, but should we consider avoiding using it anyway in case we have a true async implementation of invalidate in the future and we forget about this? We could use joinLikeSync and return a completed future here. WDYT?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I honestly went back and forth on this a few times and am still on the fence about. I started it as fully sync before we switched the interface to match the other methods on IdentityProvider, and I switched to just doing the invalidate sync and returning a completed future, but looking at the implementation of invalidate in the CachedSupplier, it waits to acquire the lock - if another thread is updating the cache (which may be a relatively long running service call), we may need to actually wait for some time, making this maybe appropriately more actually async. However, I share the concern with using the common pool to run this so I keep going back and forth. What do you think?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now I rolled this back to be effectively sync and return a completed future, but still worth discussing.

CompletableFuture<?>[] futures = credentialsProviders.stream()
.map(provider -> {
try {
return invalidateProvider(provider, identity)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we just invalidate last used provider instead of all of them? I'm a bit concerned it may cause surprising behavior for customers if the rest of the credentials providers are valid and actively used elsewhere in their application

Comment thread utils/src/main/java/software/amazon/awssdk/utils/cache/CachedSupplier.java Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api-surface-area-approved-by-team Indicate API surface area introduced by this PR has been approved by team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants