fix: replace httpretrier with httpx for proper 429 retry handling

The httpretrier library did not properly retry HTTP 429 (Too Many Requests)
responses from the AWS SSO SCIM API. Replace it with httpx which explicitly
retries on 429 and 5xx errors with configurable backoff strategies.

AWS SCIM clients now use jitter backoff to prevent thundering herd effects
during rate limiting. Google Workspace clients use exponential backoff.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: christiangda

README.md

@@ -191,7 +191,7 @@ sam deploy --parameter-overrides SyncUserFields=phoneNumbers,addresses,enterpris
 ## ⚠️ Limitations
 
 * **Group Limit**: The AWS SSO SCIM API has a limit of 50 groups per request. Please support the feature request on the [AWS Support site](https://repost.aws/questions/QUqqnVkIo_SYyF_SlX5LcUjg/aws-sso-scim-api-pagination-for-methods) to help get this limit increased.
-* **Throttling**: With a large number of users and groups, you may encounter a `ThrottlingException` from the AWS SSO SCIM API. This project uses a [retryable HTTP client](https://github.com/p2p-b2b/httpretrier) to mitigate this, but it's still a possibility.
+* **Throttling**: With a large number of users and groups, you may encounter a `ThrottlingException` from the AWS SSO SCIM API. This project uses the [httpx](https://github.com/slashdevops/httpx) library with automatic retry and jitter backoff to mitigate this, but it's still a possibility.
 * **User Status**: The Google Workspace API doesn't differentiate between normal and guest users except for their status. This project only syncs `ACTIVE` users.
 
 ## For `ssosync` Users

cmd/idpscimcli/cmd/aws.go

@@ -3,10 +3,9 @@ package cmd
 import (
 	"context"
 	"log/slog"
-	"net/http"
 	"time"
 
-	"github.com/p2p-b2b/httpretrier"
+	"github.com/slashdevops/httpx"
 	"github.com/slashdevops/idp-scim-sync/internal/version"
 	"github.com/slashdevops/idp-scim-sync/pkg/aws"
 	"github.com/spf13/cobra"
@@ -92,11 +91,12 @@ func runAWSServiceConfig(_ *cobra.Command, _ []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reqTimeout)
 	defer cancel()
 
-	httpRetryClient := httpretrier.NewClient(
-		10, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 500*time.Millisecond),
-		nil, // Use http.DefaultTransport
-	)
+	httpRetryClient := httpx.NewClientBuilder().
+		WithMaxRetries(10).
+		WithRetryStrategy(httpx.JitterBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		Build()
 
 	awsSCIMService, err := aws.NewSCIMService(httpRetryClient, cfg.AWSSCIMEndpoint, cfg.AWSSCIMAccessToken)
 	if err != nil {
@@ -120,16 +120,14 @@ func runAWSGroupsList(_ *cobra.Command, _ []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reqTimeout)
 	defer cancel()
 
-	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
-	httpTransport.MaxIdleConns = 100
-	httpTransport.MaxConnsPerHost = 100
-	httpTransport.MaxIdleConnsPerHost = 100
-
-	httpClient := httpretrier.NewClient(
-		10, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 500*time.Millisecond),
-		httpTransport,
-	)
+	httpClient := httpx.NewClientBuilder().
+		WithMaxRetries(10).
+		WithRetryStrategy(httpx.JitterBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		WithMaxIdleConns(100).
+		WithMaxIdleConnsPerHost(100).
+		Build()
 
 	awsSCIMService, err := aws.NewSCIMService(httpClient, cfg.AWSSCIMEndpoint, cfg.AWSSCIMAccessToken)
 	if err != nil {
@@ -154,16 +152,14 @@ func runAWSUsersList(_ *cobra.Command, _ []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reqTimeout)
 	defer cancel()
 
-	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
-	httpTransport.MaxIdleConns = 100
-	httpTransport.MaxConnsPerHost = 100
-	httpTransport.MaxIdleConnsPerHost = 100
-
-	httpClient := httpretrier.NewClient(
-		10, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 500*time.Millisecond),
-		httpTransport,
-	)
+	httpClient := httpx.NewClientBuilder().
+		WithMaxRetries(10).
+		WithRetryStrategy(httpx.JitterBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		WithMaxIdleConns(100).
+		WithMaxIdleConnsPerHost(100).
+		Build()
 
 	awsSCIMService, err := aws.NewSCIMService(httpClient, cfg.AWSSCIMEndpoint, cfg.AWSSCIMAccessToken)
 	if err != nil {

cmd/idpscimcli/cmd/gws.go

@@ -7,7 +7,7 @@ import (
 	"os"
 	"time"
 
-	"github.com/p2p-b2b/httpretrier"
+	"github.com/slashdevops/httpx"
 	"github.com/slashdevops/idp-scim-sync/internal/config"
 	"github.com/slashdevops/idp-scim-sync/internal/version"
 	"github.com/slashdevops/idp-scim-sync/pkg/google"
@@ -126,11 +126,12 @@ func getGWSDirectoryService(ctx context.Context) *google.DirectoryService {
 		"https://www.googleapis.com/auth/admin.directory.user.readonly",
 	}
 
-	httpRetryClient := httpretrier.NewClient(
-		3, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 100*time.Millisecond),
-		nil, // Use http.DefaultTransport
-	)
+	httpRetryClient := httpx.NewClientBuilder().
+		WithMaxRetries(3).
+		WithRetryStrategy(httpx.ExponentialBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		Build()
 
 	gServiceConfig := google.DirectoryServiceConfig{
 		UserEmail:      cfg.GWSUserEmail,

docs/Whats-New.md

@@ -2,6 +2,21 @@
 
 This document tracks notable changes, new features, and bug fixes across releases.
 
+## v0.40.1
+
+### Improved HTTP Retry Library
+
+Replaced the `httpretrier` library with [httpx](https://github.com/slashdevops/httpx), a zero-dependency HTTP client with built-in retry support.
+
+**Why:** The previous library did not properly handle HTTP `429 Too Many Requests` responses, which caused issues with AWS SSO SCIM API throttling under high load.
+
+**What changed:**
+
+* The `httpx` library automatically retries on `429` and `5xx` responses with configurable backoff strategies.
+* AWS SCIM API calls now use **jitter backoff** instead of simple exponential backoff, reducing the chance of thundering herd effects during rate limiting.
+* Google Workspace API calls use **exponential backoff** for reliable retries.
+* The `httpx` library has zero external dependencies and integrates with Go's `slog` logging.
+
 ## v0.44.0
 
 ### Configurable User Fields

go.mod

@@ -7,18 +7,18 @@ require (
 	github.com/aws/aws-sdk-go-v2 v1.41.5
 	github.com/aws/aws-sdk-go-v2/config v1.32.13
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.13
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5
 	github.com/google/go-cmp v0.7.0
-	github.com/p2p-b2b/httpretrier v0.0.4
 	github.com/pkg/errors v0.9.1
+	github.com/slashdevops/httpx v0.0.4
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/mock v0.6.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
-	google.golang.org/api v0.273.0
+	google.golang.org/api v0.273.1
 	gopkg.in/yaml.v3 v3.0.1
 )
 

go.sum

@@ -32,8 +32,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 h1:c31//R3x
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21/go.mod h1:r6+pf23ouCB718FUxaqzZdbpYFyDtehyZcmP5KL9FkA=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 h1:ZlvrNcHSFFWURB8avufQq9gFsheUgjVD9536obIknfM=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21/go.mod h1:cv3TNhVrssKR0O/xxLJVRfd2oazSnZnkUeTf6ctUwfQ=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3 h1:HwxWTbTrIHm5qY+CAEur0s/figc3qwvLWsNkF4RPToo=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0 h1:foqo/ocQ7WqKwy3FojGtZQJo0FR4vto9qnz9VaumbCo=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5 h1:z2ayoK3pOvf8ODj/vPR0FgAS5ONruBq0F94SRoW/BIU=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5/go.mod h1:mpZB5HAl4ZIISod9qCi12xZ170TbHX9CCJV5y7nb7QU=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1KxLgHBKKY/CLqwP8lg=
@@ -82,8 +82,6 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/p2p-b2b/httpretrier v0.0.4 h1:TREDrCthpm0jMTLq2T9+rf8hhH9h36W8Vf8l3L5+WiI=
-github.com/p2p-b2b/httpretrier v0.0.4/go.mod h1:0yKtg4EekYBRzwLIiRVBqh4A/I3VQRiSdBnpu5InyOw=
 github.com/pelletier/go-toml/v2 v2.3.0 h1:k59bC/lIZREW0/iVaQR8nDHxVq8OVlIzYCOJf421CaM=
 github.com/pelletier/go-toml/v2 v2.3.0/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -95,6 +93,8 @@ github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sagikazarmark/locafero v0.12.0 h1:/NQhBAkUb4+fH1jivKHWusDYFjMOOKU88eegjfxfHb4=
 github.com/sagikazarmark/locafero v0.12.0/go.mod h1:sZh36u/YSZ918v0Io+U9ogLYQJ9tLLBmM4eneO6WwsI=
+github.com/slashdevops/httpx v0.0.4 h1:XhwMl9asfiPSqBaTv4wNjwFus6RFfgsEffl33BZazK4=
+github.com/slashdevops/httpx v0.0.4/go.mod h1:RIXp0/ylq/BqDlPo8glvay29Nr6zHw6jbExJneLYXKQ=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
 github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
@@ -146,8 +146,8 @@ golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
 golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.273.0 h1:r/Bcv36Xa/te1ugaN1kdJ5LoA5Wj/cL+a4gj6FiPBjQ=
-google.golang.org/api v0.273.0/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew=
+google.golang.org/api v0.273.1 h1:L7G/TmpAMz0nKx/ciAVssVmWQiOF6+pOuXeKrWVsquY=
+google.golang.org/api v0.273.1/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew=
 google.golang.org/genproto v0.0.0-20260316180232-0b37fe3546d5 h1:JNfk58HZ8lfmXbYK2vx/UvsqIL59TzByCxPIX4TDmsE=
 google.golang.org/genproto v0.0.0-20260316180232-0b37fe3546d5/go.mod h1:x5julN69+ED4PcFk/XWayw35O0lf/nGa4aNgODCmNmw=
 google.golang.org/genproto/googleapis/api v0.0.0-20260316180232-0b37fe3546d5 h1:CogIeEXn4qWYzzQU0QqvYBM8yDF9cFYzDq9ojSpv0Js=

internal/setup/setup.go

@@ -11,8 +11,8 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
-	"github.com/p2p-b2b/httpretrier"
 	"github.com/pkg/errors"
+	"github.com/slashdevops/httpx"
 	"github.com/slashdevops/idp-scim-sync/internal/config"
 	"github.com/slashdevops/idp-scim-sync/internal/core"
 	"github.com/slashdevops/idp-scim-sync/internal/idp"
@@ -218,11 +218,12 @@ func SyncService(ctx context.Context, cfg *config.Config) (*core.SyncService, er
 		gwsServiceAccountContent = gwsServiceAccount
 	}
 
-	idpClient := httpretrier.NewClient(
-		10, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 500*time.Millisecond),
-		nil, // Use http.DefaultTransport
-	)
+	idpClient := httpx.NewClientBuilder().
+		WithMaxRetries(10).
+		WithRetryStrategy(httpx.ExponentialBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		Build()
 
 	userAgent := fmt.Sprintf("idp-scim-sync/%s", version.Version)
 
@@ -257,12 +258,13 @@ func SyncService(ctx context.Context, cfg *config.Config) (*core.SyncService, er
 
 	// AWS SCIM Service
 
-	// httpClient
-	scimClient := httpretrier.NewClient(
-		10, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 500*time.Millisecond),
-		nil, // Use http.DefaultTransport
-	)
+	// httpClient with jitter backoff to avoid thundering herd on 429 rate limits
+	scimClient := httpx.NewClientBuilder().
+		WithMaxRetries(10).
+		WithRetryStrategy(httpx.JitterBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		Build()
 
 	awsSCIM, err := aws.NewSCIMService(scimClient, cfg.AWSSCIMEndpoint, cfg.AWSSCIMAccessToken)
 	if err != nil {