...
From a behavior perspective, when the option is enabled and a private credential implements ExpiringCredential, the existing configuration options sasl.login.refresh.{window.factor, window.jitter, min.period.seconds, min.buffer.seconds} define when the Login implementation on the client will generate a new private credential (e.g. when it will retrieve a new bearer token). The default configuration values result in a new credential being retrieved sometime between 75% and 85% of the current credential's lifetime (e.g. sometime between 45 and 51 minutes after a token with an hour lifetime is initially retrieved). At that time, when the new token is retrieved, every connection that authenticated with the old credential will be told to re-authenticate using the new credential. After successful re-authentication, when the new credential is again refreshed (after another 45-51 minutes), the connections will be told once again to re-authenticate, etc. If a re-authentication attempt fails the connection will be told to retry after some delay depending on how many retries have been attempted (after 1 minute for the first retry, after another 2 minutes for the second retry, and every 4 minutes thereafter). Retry attempts generally occur indefinitely until either one of them succeeds or the connection is closed. There are certain errors that result in retries not being attempted (i.e. if some internal state doesn't make sense, which generally should not happen), and there are certain other errors that will only result in a retry if the existing token is still active (generally errors like an IOException, for example).
No metrics are affected/updated created by this proposal. In particular, re-authentications are not counted as authentications, and no metric counting re-authentications is created.
Although there is no technical reason preventing it, we arbitrarily decide to disallow changing identities upon re-authentication. For example, if a connection originally authenticates as USER:user1, an attempt to re-authenticate as anything else (e.g. USER:user2) will fail. Retry is allowed in this case.
...