Introduce AuthToken rotation and session auth support #1380
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
injectives
force-pushed
the
feature/reauth
branch
7 times, most recently
from
e8bed2a to
14e47b3
Compare
injectives
force-pushed
the
feature/reauth
branch
2 times, most recently
from
fe04cec to
8b1957c
Compare
injectives
requested review from
michael-simons and
gjmwoods
and removed request for
michael-simons and
gjmwoods
injectives
force-pushed
the
feature/reauth
branch
7 times, most recently
from
a699004 to
5ab78a9
Compare
injectives
changed the title
injectives
force-pushed
the
feature/reauth
branch
3 times, most recently
from
5210782 to
4298ad7
Compare
injectives
changed the title
injectives
changed the title
injectives
force-pushed
the
feature/reauth
branch
2 times, most recently
from
b6b85b2 to
c56341e
Compare
injectives
force-pushed
the
feature/reauth
branch
3 times, most recently
from
b4ab5f5 to
dcb534f
Compare
injectives
force-pushed
the
feature/reauth
branch
6 times, most recently
from
da5b47d to
e87fd83
Compare
@michael-simons, thanks a lot for the review and for the kind comment. As you might be aware, there has been a team discussion and it has been decided to go with |
@gjmwoods many thanks for the review and for the kind comment. The comments have been addressed. |
injectives
force-pushed
the
feature/reauth
branch
7 times, most recently
from
79aa505 to
dca7a58
Compare
injectives
force-pushed
the
feature/reauth
branch
from
dca7a58 to
6ff9a8f
Compare
The main feature of this update is the support for `AuthToken` rotation, which might also be referred to as a refresh or re-auth. In practice, it allows replacing the current token with a new token during the driver's lifetime.
The main objective of this feature is to allow token rotation for the same identity. As such, it is not intended for a change of identity.
A new type called `AuthTokenManager` has the following 2 primary responsibilities:
- supplying a valid token, which may be one of the following:
- the current token
- a new token, which instructs the driver to use the new token
- handling a token expiration failure that originates from the server if it determines the current token to be expired (a timely rotation should generally reduce the likelihood of this happening)
The driver does not make judgements on whether the current `AuthToken` should be updated. Instead, it calls the `AuthTokenManager` to check if the provided token is the same as the currently used token and takes action if not. The driver reserves the right to call the manager as often as it deems necessary. The manager implementations must be thread-safe and non-blocking for caller threads. For instance, IO operations must not be done on the calling thread.
The `GraphDatabase` class has been updated to include a set of new methods that accept the `AuthTokenManager`.
An example of the driver instantiation:
```java
var manager = // the manager implementation
var driver = GraphDatabase.driver(uri, manager);
```
The token rotation benefits from the new Bolt 5.1 version, but works on previous Bolt versions at the expence of replacing existing connections with new connections.
An expiration based `AuthTokenManager` implementation is available via a new `AuthTokenManagers` factory. It manages `AuthToken` instances that come with a UTC expiration timestamp and calls a new token supplier, which is provided by the user, when a new token is required.
An example of the expiration based manager instantiation:
```java
var manager = AuthTokenManagers.expirationBased(() -> {
var token = // get new token logic
return token.expiringAt(timestamp); // a new method on AuthToken introduced for the supplied expiration based AuthTokenManager implementation
});
```
The new `LOGOFF` and `LOGON` Bolt protocol messages allow for auth management on active Bolt connections and are used by the features in this update.
In addition to the token rotation support, this update also includes support for setting a static `AuthToken` instance on the driver session level.
Unlike the rotation feature, this feature may be used for an identity change. As such, it might be referred to as user switching.
It requires a minimum Bolt 5.1 version.
The `Driver` interface has 2 new `session` methods that accept an `AuthToken` instance.
A basic example:
```java
var token = AuthTokens.bearer("token");
var session = driver.session(Session.class, token);
```
The `Driver` includes a new method that checks whether the session auth is supported.
The implementation assumes all servers to be at the same version.
Sample usage:
```java
var supports = driver.supportsSessionAuth();
```
The `Driver` includes a new method that verifies a given `AuthToken` instance by communicating with the server.
It requires a minimum Bolt 5.1 version.
Sample usage:
```java
var token = AuthTokens.bearer("token");
var successful = driver.verifyAuthentication(token);
```
There are 2 new exceptions:
- `AuthTokenManagerExecutionException` - Indicates that the `AuthTokenManager` execution has lead to an unexpected result. This includes invalid results and errors.
- `TokenExpiredRetryableException` - Indicates that the token supplied by the `AuthTokenManager` has been deemed as expired by the server. This is a retryable variant of the `TokenExpiredException` used when the driver has an explicit `AuthTokenManager` that might supply a new token following this failure. If driver is instantiated with the static `AuthToken`, the `TokenExpiredException` will be used instead.
injectives
force-pushed
the
feature/reauth
branch
from
6ff9a8f to
c2558c8
Compare
gjmwoods
approved these changes
Apr 12, 2023
injectives
added a commit
to injectives/neo4j-java-driver
that referenced
this pull request
Jun 15, 2023
The main feature of this update is the support for `AuthToken` rotation, which might also be referred to as a refresh or re-auth. In practice, it allows replacing the current token with a new token during the driver's lifetime.
The main objective of this feature is to allow token rotation for the same identity. As such, it is not intended for a change of identity.
A new type called `AuthTokenManager` has the following 2 primary responsibilities:
- supplying a valid token, which may be one of the following:
- the current token
- a new token, which instructs the driver to use the new token
- handling a token expiration failure that originates from the server if it determines the current token to be expired (a timely rotation should generally reduce the likelihood of this happening)
The driver does not make judgements on whether the current `AuthToken` should be updated. Instead, it calls the `AuthTokenManager` to check if the provided token is the same as the currently used token and takes action if not. The driver reserves the right to call the manager as often as it deems necessary. The manager implementations must be thread-safe and non-blocking for caller threads. For instance, IO operations must not be done on the calling thread.
The `GraphDatabase` class has been updated to include a set of new methods that accept the `AuthTokenManager`.
An example of the driver instantiation:
```java
var manager = // the manager implementation
var driver = GraphDatabase.driver(uri, manager);
```
The token rotation benefits from the new Bolt 5.1 version, but works on previous Bolt versions at the expence of replacing existing connections with new connections.
An expiration based `AuthTokenManager` implementation is available via a new `AuthTokenManagers` factory. It manages `AuthToken` instances that come with a UTC expiration timestamp and calls a new token supplier, which is provided by the user, when a new token is required.
An example of the expiration based manager instantiation:
```java
var manager = AuthTokenManagers.expirationBased(() -> {
var token = // get new token logic
return token.expiringAt(timestamp); // a new method on AuthToken introduced for the supplied expiration based AuthTokenManager implementation
});
```
The new `LOGOFF` and `LOGON` Bolt protocol messages allow for auth management on active Bolt connections and are used by the features in this update.
In addition to the token rotation support, this update also includes support for setting a static `AuthToken` instance on the driver session level.
Unlike the rotation feature, this feature may be used for an identity change. As such, it might be referred to as user switching.
It requires a minimum Bolt 5.1 version.
The `Driver` interface has 2 new `session` methods that accept an `AuthToken` instance.
A basic example:
```java
var token = AuthTokens.bearer("token");
var session = driver.session(Session.class, token);
```
The `Driver` includes a new method that checks whether the session auth is supported.
The implementation assumes all servers to be at the same version.
Sample usage:
```java
var supports = driver.supportsSessionAuth();
```
The `Driver` includes a new method that verifies a given `AuthToken` instance by communicating with the server.
It requires a minimum Bolt 5.1 version.
Sample usage:
```java
var token = AuthTokens.bearer("token");
var successful = driver.verifyAuthentication(token);
```
There are 2 new exceptions:
- `AuthTokenManagerExecutionException` - Indicates that the `AuthTokenManager` execution has lead to an unexpected result. This includes invalid results and errors.
- `TokenExpiredRetryableException` - Indicates that the token supplied by the `AuthTokenManager` has been deemed as expired by the server. This is a retryable variant of the `TokenExpiredException` used when the driver has an explicit `AuthTokenManager` that might supply a new token following this failure. If driver is instantiated with the static `AuthToken`, the `TokenExpiredException` will be used instead.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The main feature of this update is the support for
AuthTokenrotation, which might also be referred to as a refresh or re-auth. In practice, it allows replacing the current token with a new token during the driver's lifetime.The main objective of this feature is to allow token rotation for the same identity. As such, it is not intended for a change of identity.
A new type called
AuthTokenManagerhas the following 2 primary responsibilities:The driver does not make judgements on whether the current
AuthTokenshould be updated. Instead, it calls theAuthTokenManagerto check if the provided token is the same as the currently used token and takes action if not. The driver reserves the right to call the manager as often as it deems necessary. The manager implementations must be thread-safe and non-blocking for caller threads. For instance, IO operations must not be done on the calling thread.The
GraphDatabaseclass has been updated to include a set of new methods that accept theAuthTokenManager.An example of the driver instantiation:
The token rotation benefits from the new Bolt 5.1 version, but works on previous Bolt versions at the expence of replacing existing connections with new connections.
An expiration based
AuthTokenManagerimplementation is available via a newAuthTokenManagersfactory. It managesAuthTokeninstances that come with a UTC expiration timestamp and calls a new token supplier, which is provided by the user, when a new token is required.An example of the expiration based manager instantiation:
The new
LOGOFFandLOGONBolt protocol messages allow for auth management on active Bolt connections and are used by the features in this update.In addition to the token rotation support, this update also includes support for setting a static
AuthTokeninstance on the driver session level.Unlike the rotation feature, this feature may be used for an identity change. As such, it might be referred to as user switching.
It requires a minimum Bolt 5.1 version.
The
Driverinterface has 2 newsessionmethods that accept anAuthTokeninstance.A basic example:
The
Driverincludes a new method that checks whether the session auth is supported.The implementation assumes all servers to be at the same version.
Sample usage:
The
Driverincludes a new method that verifies a givenAuthTokeninstance by communicating with the server.It requires a minimum Bolt 5.1 version.
Sample usage:
There are 2 new exceptions:
AuthTokenManagerExecutionException- Indicates that theAuthTokenManagerexecution has lead to an unexpected result. This includes invalid results and errors.TokenExpiredRetryableException- Indicates that the token supplied by theAuthTokenManagerhas been deemed as expired by the server. This is a retryable variant of theTokenExpiredExceptionused when the driver has an explicitAuthTokenManagerthat might supply a new token following this failure. If driver is instantiated with the staticAuthToken, theTokenExpiredExceptionwill be used instead.