feat(transport): warn on GCP reauth-required OAuth failures#53
Draft
naxty wants to merge 1 commit into
Draft
Conversation
When a Workspace org's reauth policy expires an ADC session, the OAuth2 library surfaces an opaque `invalid_grant` / `reauth related error (invalid_rapt)` that currently bubbles up from every GCP API call as a bare "request failed" error. Users have to correlate this with the remediation (gcloud auth application-default login, or switch to a service account) on their own. Detect the pattern at the transport layer and emit one clearly-labeled Warn-level log at the first failing call, with the exact commands that resolve it. The error is still returned unchanged so formae's state-machine handles the failure the same way. Mirrors the equivalent detection in formae-plugin-k8s's GKE auth provider — both plugins hit this failure mode independently when the same ADC session ages out mid-session.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When a Google Workspace organization's reauth policy expires an ADC session, the OAuth2 library returns an opaque
invalid_grant/reauth related error (invalid_rapt)from every GCP API call. The error bubbles up through formae as a generic"request failed: oauth2: …"wrapper — users have to hunt for support.google.com/a/answer/9368756 and correlate the remediation themselves.This PR detects the pattern inside
transport.Client.SendRequestand emits a dedicated Warn-level log at the first failing call, with the two commands that actually resolve it:The original error is still returned unchanged so formae's state-machine classifies and propagates the failure the same way — the Warn is purely a diagnostic aid on top.
Why at the transport layer
All CRUD paths (
Create,Read,Update,Delete,List) go throughSendRequest, so one instrumentation point covers every resource type this plugin ships.Related
The sister PR in
formae-plugin-k8s(branchfeature/gke-auth-hints) adds the same detection to the K8S plugin's GKE auth provider — they hit the underlyinginvalid_raptfailure independently (GCP plugin when directly calling GCP APIs; K8S plugin when minting a token to reach a GKE apiserver viaGKEAuth). Both use the same substring check for consistency.