Skip to content

Auth: pluggable token cache (WithTokenCache)#15

Merged
OmarAlJarrah merged 6 commits into
mainfrom
feat/token-cache
Jun 16, 2026
Merged

Auth: pluggable token cache (WithTokenCache)#15
OmarAlJarrah merged 6 commits into
mainfrom
feat/token-cache

Conversation

@OmarAlJarrah

@OmarAlJarrah OmarAlJarrah commented Jun 16, 2026

Copy link
Copy Markdown
Member

Summary

Makes BearerTokenPolicy's token cache pluggable so multiple clients can share
(or persist) bearer tokens, instead of each policy caching its own.

What's included

  • auth.TokenCache — a Get/Set interface keyed by the scope set, with a
    concurrency-safe InMemoryTokenCache default.
  • auth.NewBearerTokenPolicyWithCache(cred, cache, scopes...) — injects a
    shared cache. NewBearerTokenPolicy is unchanged and uses a private in-memory
    cache, so existing behavior is identical.
  • dexpace.WithTokenCache(cache) — shares a cache across the bearer policy
    that WithCredential installs.

The per-policy refresh lock and the five-minute freshness window are unchanged. A
shared cache populated by one policy is reused by others via the freshness check;
cross-policy single-flight is intentionally not performed (documented).

Background

One of the items deferred from the auth-breadth roadmap subsystem.

Behavior changes

None — NewBearerTokenPolicy and the default client path behave exactly as before
(the existing caching test passes unchanged).

Test plan

  • go build ./...
  • go vet ./...
  • gofmt -l . (clean)
  • go test -race ./... (all packages pass)
  • Covered: in-memory cache get/set, concurrency (-race), and scope-key isolation;
    existing per-policy caching preserved (1 fetch for 3 requests); a near-expiry
    token is re-fetched (freshness window); two policies and two clients sharing a
    cache fetch the token once.

🤖 Generated with Claude Code

OmarAlJarrah and others added 6 commits June 16, 2026 21:40
@OmarAlJarrah @claude
docs: design spec for pluggable token cache
68dffac 
TokenCache interface + InMemoryTokenCache default; BearerTokenPolicy refactored
to use it (behaviour preserved); WithTokenCache umbrella option for sharing.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@OmarAlJarrah @claude
docs: implementation plan for pluggable token cache
e5a11e1 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@OmarAlJarrah
feat(auth): add pluggable TokenCache; route BearerTokenPolicy through it
abf2741
@OmarAlJarrah @claude
test(auth): race-safe credential fixture, scope-key and stale-token t…
3ed85f8 
…ests; doc shared-cache refresh

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@OmarAlJarrah @claude
feat: add WithTokenCache to share bearer tokens across clients
36e476b 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@OmarAlJarrah
docs: document WithTokenCache
c2e4e2d
@OmarAlJarrah OmarAlJarrah merged commit 4dc0368 into main Jun 16, 2026
1 of 2 checks passed
@OmarAlJarrah OmarAlJarrah deleted the feat/token-cache branch June 16, 2026 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OmarAlJarrah