Based on code, AuthMetadataPlugin fetches and injects the access token to headers (or initial metadata). For every RPC, unary or streaming, the initial metadata will only be sent once. So, normally, the backend validates the token when it receives the request, and the RPC is allowed to run for arbitrary amount of time.
Unless, the backend or one of the proxy has an aggressive cut-off mechanism to abort the RPC with UNAUTHENTICATED(16) and with the text message in #712. In short, it's more likely this error is generated at the beginning of RPC instead of in the middle. --- As for refresh credentials, I saw the `CLOCK_SKEW`. So, there should not be invalid token when the client sent out the request. Is it possible that the first frame of the RPC lagged for 10s, so the server received an out-of-date access token? I guess we will need trace log to find out the root cause. Users can set `GRPC_TRACE=plugin_credentials` to see more details. On Thursday, March 18, 2021 at 8:02:55 AM UTC-7 [email protected] wrote: > google-auth implements AuthMetadataPlugin > <https://github.com/googleapis/google-auth-library-python/blob/f1fee1f4c3d511d9e6ecbc1c0397e743bf2583db/google/auth/transport/grpc.py#L43> > > . For some long streaming calls, it looks like the the credentials can > expire mid-request. > > What's the correct way to ensure the credentials get refreshed in this > case? > > https://github.com/googleapis/google-auth-library-python/issues/712 > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/59ba26f6-4d27-4f72-9e2d-e219e08c2f30n%40googlegroups.com.
