[BUG] Fixing refresh of AccessToken while its still valid.

[CoolZeroNL]

Pull request checklist

Please check if your PR fulfills the following requirements:

• You have read the contributing guide
• Tests for the changes have been added
• no current test covers this, also tests cant be runned with only platform account (fails) and region lock (.com) hardcoded in the tests. see: [FEATURE REQ] Tests improvements / not region locked. #91
• The documentation has been reviewed and updated as needed
• no documentation needed to be updated, this is a fix for a bug.

Description of the issue
The seconds_of_drift time is added to the expires_in value instead of subtracting from it, causing the AccessToken to appear valid for a longer period than it actually is.

python-tss-sdk/delinea/secrets/server.py

Line 275 in f483f81

+ timedelta(seconds=self.access_grant["expires_in"] + seconds_of_drift)

i have added logging into the local package,

Request after 3650seconds:

• Status Code: 401
• Reason: Unauthorized

Log:

• PasswordGrantAuthorizer -> _refresh -> if logic: triggert
• PasswordGrantAuthorizer -> _refresh -> if logic: 2026-04-28 11:37:15.132437 > 2026-04-28 11:32:30.648406
• PasswordGrantAuthorizer -> _refresh -> expires_in: 3650
• PasswordGrantAuthorizer -> _refresh -> access_grant_refreshed: 2026-04-28 10:31:25.132437
• PasswordGrantAuthorizer -> _refresh -> access_grant_refreshed + timedelta(expires_in) + seconds_of_drift: 2026-04-28 11:37:15.132437
• PasswordGrantAuthorizer -> _refresh -> now 2026-04-28 11:32:30.648390
• PasswordGrantAuthorizer -> _refresh -> expiration_time: 2026-04-28 11:32:15.132437

So the AccessToken will expire on: 2026-04-28 11:32:15.132437

The logic is thinking it expires on : 2026-04-28 11:37:15.132437 <-- 5 min longer then it is expires_in value, what is the (300) default seconds that is eq to the seconds_of_drift=300

Expected behavior

the AccessToken should be refreshed before it expired.

Actual behavior

The seconds_of_drift time is added to the expires_in value instead of subtracting from it, causing the AccessToken to appear valid for a longer period than it actually is.

Your environment

api call

Steps to reproduce

any api url that need auth should work, run it for an hours ( or adjust somehow the ttl of the token (expires_in value)) and see, that you will get first 401 after an hour, then a period of 5 min (seconds_of_drift value) and finaly it does request a new AccessToken.

import time
import requests

from delinea.secrets.server import (
    SecretServerCloud,
    PasswordGrantAuthorizer
)

tenant = ""
username = ""
password = ""
tenant_url = f"https://{tenant}.delinea.app"
url = f"{tenant_url}/identity/api/UserMgmt/GetUserInfo"

while True:
    platform = SecretServerCloud(
        authorizer=PasswordGrantAuthorizer(tenant_url, username, password), base_url=tenant_url
    )
    headers = platform.headers()
    headers.update({"Content-Type": "application/json"})
    response = requests.get(url, headers=headers, timeout=60)
    print(f"StatusCode: {response.status_code}")
    print(response.text)
    time.sleep(60)

Solution:

subtract the seconds_of_drift

~ + timedelta(seconds=self.access_grant["expires_in"] - seconds_of_drift) 

[snyk-io]

⛔ Snyk checks have failed. 4 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (4)
⛔	Open Source Security	0	4	0	0	4 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.