Fulton Byrne

OK, did a lot of looking at this problem. The graph is great. It seems like the core of the problem is that the Cache isn't updating the TTL when...

I've been looking everywhere to see if Vault Agent uses [CacheMeta.Age](https://github.com/hashicorp/vault/blob/main/command/agent/cache/proxy.go#L36-L39) to calculate the effective TTL. I'm not seeing it anywhere... [vault/api/sys_leases.go#RenewWithContext](https://github.com/hashicorp/vault/blob/0dd4cda7c93d6b0fc7bf7d7b108c45a6fa7aaac6/api/sys_leases.go#L13-L34) is not cache aware. ❓ Does `RenewWithContext` need...

I found during the `Send` the `lease_cache` actually parses the secret which is an opportunity to correct the TTL based on age. https://github.com/hashicorp/vault/blob/main/command/agent/cache/lease_cache.go#L307-L311 This occurs _after_ we check the cache...

@7fELF I was just coming into contact with this problem. I like this idea. So it would be best if we were able to intercept the "Age" header in any...

Seems like the whole things needs a larger rework. `Age` header -> Not used at all Tokens -> TTL, but not aware of age. WrappedSecrets do have creation info... ```...

looking at [`sys/leases`](https://www.vaultproject.io/api-docs/system/leases#sys-leases) Read lease includes the `issue_time` and `expire_time` ``` { "id": "auth/token/create/25c75065466dfc5f920525feafe47502c4c9915c", "issue_time": "2017-04-30T10:18:11.228946471-04:00", "expire_time": "2017-04-30T11:18:11.228946708-04:00", "last_renewal_time": null, "renewable": true, "ttl": 3558 } ``` Whereas renew, does not:...

@hsimon-hashicorp I think we're a little stuck here and this seems to be a high severity issue. Without modifying the logicalReponse -> httpResponse data to include a "responseTime" indicating when...

@7fELF I took your suggestions and went looking for a way to timestamp all the responses instead of working with the `Age` header. https://github.com/hashicorp/vault/commit/45667354700429e554d096612b599395e3d516a1 Every response has a `request_id`, why...

With the `Age` header they're trying to follow HTTP Cache semantics https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

To simplify the discussion so far I put together a flow diagram. There are 2 points where the Age header will be present and it currently is being ignored or...