Hi,

I've a question regarding the way this tokenprovider was implemented. And it ultimately ties into my main question, which is how can I dynamically determine when a resource token is about to expire, in order to retrieve a new one.

Parts of my question are also present in this question I've asked on the cosmos-net github repo, but haven't received any responses yet. I thought it would be worth trying on this one, since it seems more particular to my issue.

Regarding your implementation, I see that your GetToken pipeline not only reads a new token, but also creates the required permission if it doesn't exist (which means you know when it is going to expire).

Is this how the Cosmos Permissions API is supposed to be used? Shouldn't the creation of the permission be part of an administrative pipeline outside of consuming application? And the application will just read a new instance of the permission previously created, with a new token.

And if I'm right in how it should be implemented (and I'm still open to being proven wrong) then how do you know, with only having the permission object (and the associated token), the lifetime of the cosmosdb token? I see no useful information on the permission object (the timestamp that's there seems to serve a different purpose).

I've tried to reverse engineer the token, hoping it's something similar to a JWT token which holds the lifetime information on itself, but have not gotten anywhere.

Is there any hope for what I'm trying to do? Or am I stuck with just having an external configuration value which I have to keep in sync with the one used when creating the permission and setting its lifetime?

Thanks, and I hope to gain some more insight into my issue.
Have a good one.