Skip to content

feat(transport): warn on GCP reauth-required OAuth failures#53

Draft
naxty wants to merge 1 commit into
mainfrom
feature/auth-reauth-warning
Draft

feat(transport): warn on GCP reauth-required OAuth failures#53
naxty wants to merge 1 commit into
mainfrom
feature/auth-reauth-warning

Conversation

@naxty

@naxty naxty commented Apr 22, 2026

Copy link
Copy Markdown
Contributor

Summary

When a Google Workspace organization's reauth policy expires an ADC session, the OAuth2 library returns an opaque invalid_grant / reauth related error (invalid_rapt) from every GCP API call. The error bubbles up through formae as a generic "request failed: oauth2: …" wrapper — users have to hunt for support.google.com/a/answer/9368756 and correlate the remediation themselves.

This PR detects the pattern inside transport.Client.SendRequest and emits a dedicated Warn-level log at the first failing call, with the two commands that actually resolve it:

[gcp] WRN GCP reauth required: Workspace org reauth policy returned `invalid_rapt`.
  Re-authenticate with `gcloud auth application-default login`, or switch to a
  service account by setting GOOGLE_APPLICATION_CREDENTIALS — service accounts
  are not subject to reauth policies
  err=…  url=https://compute.googleapis.com/…  method=POST

The original error is still returned unchanged so formae's state-machine classifies and propagates the failure the same way — the Warn is purely a diagnostic aid on top.

Why at the transport layer

All CRUD paths (Create, Read, Update, Delete, List) go through SendRequest, so one instrumentation point covers every resource type this plugin ships.

Related

The sister PR in formae-plugin-k8s (branch feature/gke-auth-hints) adds the same detection to the K8S plugin's GKE auth provider — they hit the underlying invalid_rapt failure independently (GCP plugin when directly calling GCP APIs; K8S plugin when minting a token to reach a GKE apiserver via GKEAuth). Both use the same substring check for consistency.

When a Workspace org's reauth policy expires an ADC session, the OAuth2
library surfaces an opaque `invalid_grant` / `reauth related error
(invalid_rapt)` that currently bubbles up from every GCP API call as a
bare "request failed" error. Users have to correlate this with the
remediation (gcloud auth application-default login, or switch to a
service account) on their own.

Detect the pattern at the transport layer and emit one clearly-labeled
Warn-level log at the first failing call, with the exact commands that
resolve it. The error is still returned unchanged so formae's
state-machine handles the failure the same way.

Mirrors the equivalent detection in formae-plugin-k8s's GKE auth
provider — both plugins hit this failure mode independently when the
same ADC session ages out mid-session.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant