feat: add credentialProvider option when creating clients #2849
Conversation
dhensby
force-pushed
the
pulls/credential-providers
branch
2 times, most recently
from
398642a to
8fcb0d2
Compare
dhensby
force-pushed
the
pulls/credential-providers
branch
from
8fcb0d2 to
19bf48c
Compare
| }, { | ||
| ...GLOBAL.SERVERS.PASSWORD, | ||
| clientOptions: { | ||
| // simulate a slight pause to fetch the credentials |
There was a problem hiding this comment.
Does "simulating a pause" make the test better in any way? can't we just Promise.resolve directly?
There was a problem hiding this comment.
I found that the order of the resolution of promises could cause a problem if it was just an instantly resolving promise, that edge case wouldn't be covered.
In some instances, credentials for the redis client will be short-lived and need to be fetched on-demand when connecting to redis. This is the case when connecting in AWS using IAM authentication or Entra ID in Azure. This feature allows for a credentialProvider to be provided which is a callable function returning a Promise that resolves to a username/password object.
dhensby
force-pushed
the
pulls/credential-providers
branch
from
19bf48c to
1b0ac32
Compare
|
Hi @dhensby, thank you very much for the PR! We (Redis) are currently working on enabling not only async credential providers, but credential providers that also support rolling credentials/credential invalidation. We need them to enable EntraID (former Azure Active Directory) and more 3rd party identity providers in the future. We have a PR in the works that already covers async credential providers (check the first commit). It is similar to what you already have. We will be very happy to get your feedback. |
|
@bobymicroby great, that's exactly what I'm after (EntraID support), so glad to see that's in the works. I'll close this as superseded by #2877 |
Description
In some instances, credentials for the redis client will be short-lived and need to be fetched on-demand when connecting to redis. This is the case when connecting in AWS using IAM authentication or Entra ID in Azure.
This feature allows for a credentialProvider to be provided which is a callable function returning a Promise that resolves to a username/password object.
Closes #821
A potential enhancement to this feature could be to also return a TTL with the credentials and then automatically attempt to re-auth the client before the credentials expire; however I've assumed that logic will be the responsibility of the consumer rather than the library. Worst case scenario is that the socket disconnects due to authentication error and then re-authenticates on a future reconnection retry attempt.
Something else that is missing is an explicit decision on how errors from the credentialProvider should be surfaced.
Checklist
npm testpass with this change (including linting)?