google-auth-library-python: Generated Access Tokens are flagged as expired prematurely

Thanks for stopping by to let us know something could be better!

PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.

Please run down the following list and make sure you’ve tried the usual “quick fixes”:

• Search the issues already opened: https://github.com/googleapis/google-auth-library-python/issues

If you are still having issues, please be sure to include as much information as possible:

Environment details

• OS: Ubuntu
• Python version: 3.9
• pip version:
• google-auth version: 2.16.2

Steps to reproduce

1. In my python code, I have this code to generate an access token and expiry

credentials, _ = auth.default()
auth_req = g_auth_req.Request()
credentials.refresh(auth_req)

I use the credentials.token and credentials.expiry and send it to my Java backend for testing permissions. I have ensured that the expiry time used to construct the Java AccessToken object is correct.

About 4-5 minutes before the actual expiry time, the testPermissions call to the backend always gives me this error: “java.lang.IllegalStateException: OAuth2Credentials instance does not support refreshing the access token. An instance with a new access token should be used, or a derived type that supports refreshing.”

We assume that the token is considered expired. Upon regeneration of the token in the Python Cloud Function, we continue to get the same expired token with the same expiry (presumably because the token generator thinks the token has not expired). A new token is generated about 3.5 to 4 minutes before the actual expiry time.

So, there seems to be a premature expiration of token.

Google Support seems to think there is an issue in generating the token.

Thanks for any help!