Background
reqsign_azure_storage::Credential::SasToken currently stores only the token string and is considered valid as long as it is non-empty. That is fine for static SAS tokens managed externally, but it is not enough for temporary vended credentials.
A credential vending flow usually returns a SAS token plus an expiration timestamp. The signer should reload credentials after the token is close to expiration, just like AWS temporary credentials and Google OAuth2 tokens already do.
Proposal
Extend Azure SAS token credentials to preserve optional expiration information.
Possible shape:
Credential::SasToken {
token: String,
expires_in: Option<Timestamp>,
}
Add constructors that keep existing simple usage working while allowing expiration-aware credentials, for example:
Credential::with_sas_token(token)
Credential::with_sas_token_expires_at(token, expires_at)
StaticCredentialProvider::new_sas_token(token)
StaticCredentialProvider::new_sas_token_expires_at(token, expires_at)
SigningCredential::is_valid() should treat an expiring SAS token as invalid before expiration using the same kind of safety buffer used by other temporary credentials.
Compatibility notes
This is a public enum change, so the exact API shape needs care. The goal is to keep the common constructor-based path source-compatible while giving dynamic/vended SAS providers a way to trigger automatic reload through the existing Signer cache invalidation path.
Non-goals
- Do not change how a SAS token is applied to requests.
- Do not add catalog or namespace-specific behavior.
Background
reqsign_azure_storage::Credential::SasTokencurrently stores only the token string and is considered valid as long as it is non-empty. That is fine for static SAS tokens managed externally, but it is not enough for temporary vended credentials.A credential vending flow usually returns a SAS token plus an expiration timestamp. The signer should reload credentials after the token is close to expiration, just like AWS temporary credentials and Google OAuth2 tokens already do.
Proposal
Extend Azure SAS token credentials to preserve optional expiration information.
Possible shape:
Add constructors that keep existing simple usage working while allowing expiration-aware credentials, for example:
SigningCredential::is_valid()should treat an expiring SAS token as invalid before expiration using the same kind of safety buffer used by other temporary credentials.Compatibility notes
This is a public enum change, so the exact API shape needs care. The goal is to keep the common constructor-based path source-compatible while giving dynamic/vended SAS providers a way to trigger automatic reload through the existing
Signercache invalidation path.Non-goals