Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token based authentication integration with core extension #3063

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

Token based authentication integration with core extension #3063

wants to merge 11 commits into from

Conversation

ggivo
Copy link
Contributor

@ggivo ggivo commented Nov 28, 2024

Provide a way for lettuce clients to use token-based authentication.
TOKENs come with a TTL. After a Redis client authenticates with a TOKEN, if they didn't renew their authentication we need to evict (close) them. The suggested approach is to leverage the existing CredentialsProvider and add support for streaming credentials to handle token refresh scenarios. Each time a new token is received connection is reauthenticated.

Make sure that:

  • You have read the contribution guidelines.
  • You have created a feature request first to discuss your contribution intent. Please reference the feature request ticket number in the pull request.
  • You applied code formatting rules using the mvn formatter:format target. Don’t submit any formatting related changes.
  • You submit test cases (unit or integration tests) that back your changes.

@ggivo ggivo changed the title Token based auth Token based authentication integration with core extension Nov 28, 2024
@ggivo ggivo force-pushed the token-based-auth branch 2 times, most recently from cb51afa to ec791b2 Compare November 28, 2024 09:17
atakavci
atakavci reviewed Dec 1, 2024
View reviewed changes
Copy link
Collaborator

@atakavci atakavci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i can anticipate what BaseRedisAuthenticationHandler holds but lets see the actual impl before moving further.

src/main/java/io/lettuce/core/RedisAuthenticationHandler.java Outdated Show resolved Hide resolved
src/main/java/io/lettuce/authx/TokenBasedRedisCredentialsProvider.java
* @return a Flux that emits all updates to the Redis credentials
*/
@Override
public Flux<RedisCredentials> credentials() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TokenBasedRedisCredentialsProvider looks nice and clean overall, and does most of the job as i understand. Only thing i got around is that i believe it would do auth twice with the same initial token;
one with a call to

 public Mono<RedisCredentials> resolveCredentials() {
 ...

and the other with a call to

public Flux<RedisCredentials> credentials() {
...

Copy link
Contributor Author

@ggivo ggivo Dec 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, It will do it twice.
I was thinking to skip first token when subscribing since it was used during the handshake and this way avoid the second auth, but my thinking is that between the handshake and connection activation, there might be token update that we miss (it should be very rare but still possible) and end up with expired token. Also since we are targeting long running connections where we have number of reconnects, I think it is safer to leave the initial duplication of auth to avoid complex syncronisation.

@ggivo
Support for StreamingCredentials
91871b6 
     This enables use cases like credential rotation and token based auth without client disconnect. Especially with Pub/Sub clients will reduce the chnance of missing events.
ggivo added 3 commits December 8, 2024 14:09
@ggivo
Conditionally enable connection reauthentication based on client setting
5858286 
DEFAULT_REAUTHENTICATE_BEHAVIOUR
@ggivo
Client setting for enabling reauthentication
779edca 
  - Moved Authentication handler to DefaultEndpoint
  - updated since 6.6.0
@ggivo
formating
21bf696
ggivo added 3 commits December 8, 2024 15:12
@ggivo
format
631d420
@ggivo
Token based auth integration with core extension
0a10823 
Provide a way for lettuce clients to use token-based authentication.
TOKENs come with a TTL. After a Redis client authenticates with a TOKEN, if they didn't renew their authentication we need to evict (close) them. The suggested approach is to leverage the existing CredentialsProvider and add support for streaming credentials to handle token refresh scenarios. Each time a new token is received connection is reauthenticated.
@ggivo
Rebase on PR redis#3068
b7efe6c 
# Conflicts:
#	src/test/java/io/lettuce/core/AuthenticationIntegrationTests.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atakavci atakavci atakavci left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ggivo @atakavci