OAuth token refresh has a race condition

[jwulf]

Tests in GitHub CI for Self-Managed are failing.

The cause seems to be a race condition in token refresh. At the moment, the OAuth component caches the token and compares the expiry time to the current time, and requests a new token if the expiry time is greater than or equal to the current time.

If the token expires in 1ms it will be used for a call, but this will probably result in it expiring before it hits the service.

To deal with this, I am adding a new configuration field: CAMUNDA_OAUTH_TOKEN_REFRESH_THRESHOLD_MS. It defaults to 1000 (1 second).

This represents the lead time to refresh the token. So, by default a cached token will be refreshed 1 second before it expires, and this can be tuned by the user depending on their environment.