Problem
There's no async auth step, and token refresh blocks the caller even when the current token is still valid.
Proposed change
Add an async bearer-auth step. Implement background refresh: if the token is valid but near expiry, return it immediately and refresh off-thread. Add a default fetchAsync on the token provider. Keep per-cloud token providers (GCP/Azure/K8s) and OAuth token-exchange specifics out of sdk-core — those belong in adapter modules.
Prior art: openai-java's workload-identity auth does background refresh (WorkloadIdentityAuth.kt).
Acceptance
Dependencies
Priority: medium · Effort: medium
Problem
There's no async auth step, and token refresh blocks the caller even when the current token is still valid.
Proposed change
Add an async bearer-auth step. Implement background refresh: if the token is valid but near expiry, return it immediately and refresh off-thread. Add a default
fetchAsyncon the token provider. Keep per-cloud token providers (GCP/Azure/K8s) and OAuth token-exchange specifics out of sdk-core — those belong in adapter modules.Prior art: openai-java's workload-identity auth does background refresh (
WorkloadIdentityAuth.kt).Acceptance
Dependencies
Priority: medium · Effort: medium