Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support credential refresh for OAuth 2/JWT authentication scenarios #956

Closed
michaelklishin opened this issue Oct 20, 2020 · 3 comments · Fixed by #1346
Closed

Support credential refresh for OAuth 2/JWT authentication scenarios #956

michaelklishin opened this issue Oct 20, 2020 · 3 comments · Fixed by #1346
Assignees
@MarcialRosales
Labels
effort-medium enhancement
Milestone
6.6.0

Comments

@michaelklishin
Copy link
Member

Modern RabbitMQ versions support OAuth 2/JWT token authentication.

In practical terms this means that on the client side, a JWT token has to be provided in the password field. The username will be ignored (all relevant information will be taken from the decoded token).
You can make such a connection today, there's nothing to change in the client.

However, JWT tokens have limited shelf life. When they expire, no operations performed by a client will be accepted as token validation will fail. Since the protocols RabbitMQ supports assume long lived connections, there has to be a refresh mechanism. OAuth 2 clients have a different token, called the refresh token, that can be used to obtain a new JWT token with a refreshed expiration period.

In the Java client, CredentialsProvider is an interface that allows for the end user to provide a "refresh function" that, in the case of OAuth 2, will use a suitable OAuth 2 vendor client library and a refresh token to produce a new token and replace it on a connection. connection.update-secret is a new protocol extension for AMQP 0-9-1 that makes it possible
to update the token for an already open connection.

The connection.update-secret protocol method is already supported in this client and can be used manually. However, this is somewhat inconvenient since the timing of updates is then up to the application developers.

This client needs its own version of a CredentialsProvider (possibly under a different name, since in the .NET world this may be an overloaded term) which is a pluggable abstraction that is expected to do a few things

  • Accepts an operation that the user provides to update the secret (JWT token) using any library or means necessary (such as a refresh token)
  • Update connection state to use the newly returned secret
  • Issues a connection.update-secret operation on the connection to update the secret on the server end
This was referenced Oct 20, 2020
Open
Closed
@michaelklishin michaelklishin added this to the 6.3.0 milestone Oct 20, 2020
@michaelklishin
Copy link
Member Author

Relevant Java client bits:

@lukebakken lukebakken modified the milestones: 6.3.0, 7.0.0 May 6, 2022
@ramansamarth ramansamarth mentioned this issue May 18, 2022
Closed
@MarcialRosales MarcialRosales self-assigned this Apr 26, 2023
@zapodot
Copy link

zapodot commented Aug 22, 2023
edited
Loading

Are you still aiming for fixing this issue in the 7.0.0 release?

@lukebakken lukebakken mentioned this issue Aug 22, 2023
Merged
5 tasks
@lukebakken lukebakken modified the milestones: 7.0.0, 6.6.0 Aug 22, 2023
@lukebakken
Copy link
Contributor

@zapodot no, this will be addressed by #1346 and shipped in 6.6.0, if I can ever get time away from supporting RabbitMQ customers that pay for support.

@lukebakken lukebakken mentioned this issue Sep 20, 2023
Merged
lukebakken added a commit that referenced this issue Sep 21, 2023
@lukebakken
Manually back-port #1346 to 6.x branch.
fd9a305 
Fixes #956
lukebakken added a commit to rabbitmq/rabbitmq-website that referenced this issue Oct 2, 2023
@lukebakken
Update .NET OAuth2 documentation
40f8b77 
Related to rabbitmq/rabbitmq-dotnet-client#956
@lukebakken lukebakken mentioned this issue Oct 2, 2023
Merged
lukebakken added a commit that referenced this issue Oct 3, 2023
@lukebakken
Add workflow to test OAuth2
e8e2755 
Follow-up to:
* #956
* #1346
@lukebakken lukebakken mentioned this issue Oct 3, 2023
Merged
lukebakken added a commit that referenced this issue Oct 4, 2023
@lukebakken
Add workflow to test OAuth2
5ab57d8 
Follow-up to:
* #956
* #1346

UAA service, RabbitMQ mounts for UAA

Source code checkout happens _after_ service containers are started

Use conventional-actions/docker-run@v1
michaelklishin pushed a commit to rabbitmq/rabbitmq-website that referenced this issue Oct 5, 2023
@lukebakken @michaelklishin
Update .NET OAuth2 documentation
c3afbbe 
Related to rabbitmq/rabbitmq-dotnet-client#956
lukebakken added a commit that referenced this issue Oct 5, 2023
@lukebakken
Add workflow to test OAuth2
585fe09 
Follow-up to:
* #956
* #1346

UAA service, RabbitMQ mounts for UAA

Source code checkout happens _after_ service containers are started

Use conventional-actions/docker-run@v1

Start adding test project for OAuth2

Converting OAuth2 test program to Xunit

Run OAuth2 tests using `dotnet test`

Refactor test to use async/await when available

Remove TestApplications/OAuth2

Simplify APIApproval a bit
lukebakken added a commit that referenced this issue Oct 5, 2023
@lukebakken
Add workflow to test OAuth2
ceadaf8 
Follow-up to:
* #956
* #1346

UAA service, RabbitMQ mounts for UAA

Source code checkout happens _after_ service containers are started

Use conventional-actions/docker-run@v1

Start adding test project for OAuth2

Converting OAuth2 test program to Xunit

Run OAuth2 tests using `dotnet test`

Refactor test to use async/await when available

Remove TestApplications/OAuth2

Simplify APIApproval a bit
lukebakken added a commit that referenced this issue Oct 5, 2023
@lukebakken
Add workflow to test OAuth2
a5ba2b4 
Follow-up to:
* #956
* #1346

UAA service, RabbitMQ mounts for UAA

Source code checkout happens _after_ service containers are started

Use conventional-actions/docker-run@v1

Start adding test project for OAuth2

Converting OAuth2 test program to Xunit

Run OAuth2 tests using `dotnet test`

Refactor test to use async/await when available

Remove TestApplications/OAuth2

Simplify APIApproval a bit

Ensure main workflow does NOT run OAuth2 tests
lukebakken added a commit that referenced this issue Oct 6, 2023
@lukebakken
Add workflow to test OAuth2
68afa42 
Follow-up to:
* #956
* #1346

UAA service, RabbitMQ mounts for UAA

Source code checkout happens _after_ service containers are started

Use conventional-actions/docker-run@v1

Start adding test project for OAuth2

Converting OAuth2 test program to Xunit

Run OAuth2 tests using `dotnet test`

Refactor test to use async/await when available

Remove TestApplications/OAuth2

Simplify APIApproval a bit
lukebakken added a commit that referenced this issue Oct 6, 2023
@lukebakken
Add workflow to test OAuth2
47878d7 
Follow-up to:
* #956
* #1346

UAA service, RabbitMQ mounts for UAA

Source code checkout happens _after_ service containers are started

Use conventional-actions/docker-run@v1

Start adding test project for OAuth2

Converting OAuth2 test program to Xunit

Run OAuth2 tests using `dotnet test`

Refactor test to use async/await when available

Remove TestApplications/OAuth2

Simplify APIApproval a bit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MarcialRosales MarcialRosales

Labels
effort-medium enhancement
Projects
None yet
Milestone
6.6.0
Development

Successfully merging a pull request may close this issue.

Support OAuth2 authentication rabbitmq/rabbitmq-dotnet-client
4 participants
@michaelklishin @lukebakken @zapodot @MarcialRosales