Rotating OAuth2.0 Refresh Tokens Hi All! I'm integrating with an API which uses OAuth2.0. The API provider would seem to have opted for the uber-secure option of rotating refresh tokens each time an access token is refreshed and also revoking all tokens if a refresh token is reused (assumed man-in-the-middle attack). I would like to have a wrap the API in a resource that ops can use, which handles the auth (including refreshing access tokens, etc.). I currently store credentials in GCP Secrets Manager, which is accessible as a dagster resource with read-only access to GCP Secrets Manager. But now I will need to be able to store the new refresh token every time the access token is refreshed. I could, • keep the refresh token locally in a file (yuk) • write the rotated refresh token back to GCP Secrets Manager (means write access, rather than read-only access to Secrets Manager) • ... Has anyone dealt with this scenario before? Any smart ideas on how to deal with it?

Have you looked at HashiCorp Vault with vault-plugin-secrets-oauthapp and use it as dagster resource and let Vault deal with refreshing the tokens ? (I've got this working for non uber-secure API providers, YMMV)

@Zellers I might take a look at that. Thanks for the tip. Definitely seems neat to let something else deal with refreshing the tokens (persisting refresh tokens, etc.). I don't love the idea of having yet another independent service out there though - I would definitely prefer to keep the loop quite a lot tighter. But you've given me the idea that perhaps there is a package that will handle some of the admin of managing tokens locally, so at least I don't have to write the imminent expiry detection and refresh logic. I think I will take the short path for now and just persist the refresh token locally (yuk) while I think of something better.

Replace GCP Secrets Manager with Hashicorp Vault ?

Perhaps. But our jobs use a few of different services in GCP, all accessed by ops using a single service account (wrapped in a resource). If I replace some GCP stuff with Hashicorp stuff, then I double the number of credentials required and then also lose the ability to manage and control these credentials in a single place, blah, blah. But I really appreciate the idea - thank you!