You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I set up rabbitmq_auth_backend_oauth2 which seems to work fine with JWT in terms of authentication, creating, read and writing to queues etc. There one problem. When my client is authenticated, authorized and properly connected and subscribed to exchange (in JWT token life span) it keep receiving messages even after JWT expiration.
There is need for some client action like publish, queue declaration for Rabbitmq server to verify token again and disconnect the client if token expired. If my client is just passive receiver it keeps getting messages for which in my book it is not authorized any more. How can I achieve this?
It look like security issue. The whole point of JWT (or access tokens in general) which should be short-living by design is to delegate permission with requests in stateless manner. If token is expired it means that client is no longer authorized, Server should validate client's token before forwarding each messages to it.
We cannot count on client to willingly perform operation which triggers token validation.
Is this possible? Is it configuration issue? or do I need additional plugin?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I set up rabbitmq_auth_backend_oauth2 which seems to work fine with JWT in terms of authentication, creating, read and writing to queues etc. There one problem. When my client is authenticated, authorized and properly connected and subscribed to exchange (in JWT token life span) it keep receiving messages even after JWT expiration.
There is need for some client action like publish, queue declaration for Rabbitmq server to verify token again and disconnect the client if token expired. If my client is just passive receiver it keeps getting messages for which in my book it is not authorized any more. How can I achieve this?
It look like security issue. The whole point of JWT (or access tokens in general) which should be short-living by design is to delegate permission with requests in stateless manner. If token is expired it means that client is no longer authorized, Server should validate client's token before forwarding each messages to it.
We cannot count on client to willingly perform operation which triggers token validation.
Is this possible? Is it configuration issue? or do I need additional plugin?
Beta Was this translation helpful? Give feedback.
All reactions