Python: How should credentials be refreshed for long streaming requests?

[busu...@google.com]

google-auth implements AuthMetadataPlugin . For some long streaming calls, it looks like the the credentials can expire mid-request.

What's the correct way to ensure the credentials get refreshed in this case?

https://github.com/googleapis/google-auth-library-python/issues/712

[Lidi Zheng]

Based on code, AuthMetadataPlugin fetches and injects the access token to headers (or initial metadata). For every RPC, unary or streaming, the initial metadata will only be sent once. So, normally, the backend validates the token when it receives the request, and the RPC is allowed to run for arbitrary amount of time.

Unless, the backend or one of the proxy has an aggressive cut-off mechanism to abort the RPC with UNAUTHENTICATED(16) and with the text message in #712.

In short, it's more likely this error is generated at the beginning of RPC instead of in the middle.

---

As for refresh credentials,  I saw the `CLOCK_SKEW`. So, there should not be invalid token when the client sent out the request. Is it possible that the first frame of the RPC lagged for 10s, so the server received an out-of-date access token? I guess we will need trace log to find out the root cause. Users can set `GRPC_TRACE=plugin_credentials` to see more details.