fix(token): fall back to legacy TAT endpoint when OAuth v3 mint returns 5xx (#1470)

[rogercheng3]

What & why

Fixes the regression in #1470: on v1.0.53, --as bot (tenant_access_token) calls fail with HTTP 500 server_error (code 20050) for an internal app on the Lark international (larksuite) cluster, breaking every tenant-token command. v1.0.52 works because it uses the legacy mint endpoint.

Root cause: #1408 moved TAT minting to the unified OAuth v3 endpoint (accounts.{brand}/oauth/v3/token). That endpoint is healthy for unknown apps (dummy creds → clean 400 invalid_client), but returns 500 server_error while minting for (at least some) real international internal apps, while the legacy open.{brand}/open-apis/auth/v3/tenant_access_token/internal endpoint still mints fine for the same app.

Change

In internal/credential/tat_fetch.go, when /oauth/v3/token hits the existing transient branch (5xx / 429 / server_error / temporarily_unavailable / slow_down), attempt a fallback mint against the legacy per-tenant endpoint before surfacing the transient error. On any fallback failure the original v3 error is returned unchanged, so behavior for genuinely-down environments is preserved. This reuses the existing transient classification that the code already treats as non-deterministic.

⚠️ Status: proposed, NOT locally verified

I don't have a Go toolchain in this environment, so this was not built, gofmt-checked, or tested locally — please run CI / gofmt. Marking as draft for that reason. Suggested follow-up before merge:

• Add a tat_fetch_test.go case: v3 returns 500 server_error + legacy httptest server returns {"code":0,"tenant_access_token":"t-x"} → expect FetchTAT to return t-x; and a case where both fail → expect the original v3 transient error.
• Confirm the fallback host/path ({open}/open-apis/auth/v3/tenant_access_token/internal) and JSON request/response shape match the intended contract.
• Maintainers may prefer this fallback live in doResolveTAT (caller) rather than FetchTAT, or be gated to brand=lark; happy to move it.

Refs #1470

🤖 Generated with Claude Code

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 43a1a669-f708-44f2-8eeb-9f9cbad74a0b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}