Fix intermittent 401 errors from token expiration race condition

[Copilot]

Intermittent 401 Unauthorized errors occurred when OAuth tokens expired between the expiration check and API call execution. No retry or fallback mechanism existed when token refresh failed.

Changes

Token Expiration Buffer

• Added configurable token_expiration_buffer (default: 30s) to refresh tokens proactively before expiration
• Modified expired? to check Time.now.utc > (@expiration - @token_expiration_buffer) instead of exact expiration
• Safely handles nil expiration values

Automatic Fallback

• prepare_token now attempts regenerate_token || get_new_token when expired
• Eliminates silent failures when token refresh returns nil

Configuration

client = OneLogin::Api::Client.new(
  client_id: 'id',
  client_secret: 'secret',
  token_expiration_buffer: 60  # Refresh 60s before expiration (default: 30)
)

The buffer prevents race conditions by ensuring tokens are refreshed before they expire during API calls. The fallback ensures credentials remain valid even when refresh endpoints fail.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Getting 401 Unauthorized for a valid set of client id and secret</issue_title>
<issue_description>We have been using this gem for our onelogin integration for a number of customers on our application and have been facing issue particularly with one set of client id and secret.

We usually pull users, apps and event logs data and one of the credentials that we have often fails
with 401 Unauthorized error message.
On manually checking the health of the credentials with postman or even restarting the process, we are able to pull API responses.

We have already handled rate limits at our end. Can we get help on what exactly might be going wrong here?</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Getting 401 Unauthorized for a valid set of client id and secret #76

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull Request Overview

Fixes intermittent 401 Unauthorized errors caused by OAuth token expiration race conditions by implementing proactive token refresh with configurable buffer time and automatic fallback mechanisms.

• Added configurable token expiration buffer (default: 30s) to refresh tokens before they expire
• Implemented automatic fallback from token refresh to new token generation when refresh fails
• Enhanced token management with improved expiration checking and error handling

Reviewed Changes

Copilot reviewed 4 out of 948 changed files in this pull request and generated 1 comment.

File	Description
lib/onelogin/api/client.rb	Core implementation of token expiration buffer, enhanced expiration checking, and fallback logic
spec/lib/onelogin/api/token_expiration_spec.rb	Comprehensive test suite covering token expiration scenarios and fallback behavior
onelogin.gemspec	Added webmock development dependency for testing
README.md	Updated documentation to include new token_expiration_buffer configuration option

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This method simply delegates to access_token without adding any value. Consider directly calling access_token in prepare_token instead of introducing this wrapper method, or add meaningful functionality if this separation is intended for future extensibility.