Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support invalidating client's OAuth2 token after receiving an authentication exception #20107

Open
1 of 2 tasks
michaeljmarshall opened this issue Apr 14, 2023 · 3 comments · May be fixed by MMirelli/pulsar#3
Open
1 of 2 tasks

Support invalidating client's OAuth2 token after receiving an authentication exception #20107

michaeljmarshall opened this issue Apr 14, 2023 · 3 comments · May be fixed by MMirelli/pulsar#3
Labels
area/authn area/client Stale type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages

Comments

@michaeljmarshall
Copy link
Member

Search before asking

  • I searched in the issues and found nothing similar.

Motivation

The AuthenticationOAuth2 provider only retrieves a new token when the current one has expired.

pulsar/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth/oauth2/AuthenticationOAuth2.java

Lines 99 to 106 in 82237d3

@Override
public synchronized AuthenticationDataProvider getAuthData() throws PulsarClientException {
if (this.cachedToken == null || this.cachedToken.isExpired()) {
TokenResult tr = this.flow.authenticate();
this.cachedToken = new CachedToken(tr);
}
return this.cachedToken.getAuthData();
}

However, when there is an unexpected signing key rotation, which can happen for several reasons, a client will fail to authenticate until the token expires.

Solution

The client could invalidate the cached token and retrieve a new one. Note that this is happening when authentication has already failed, so the current token is already known to be invalid.

Alternatives

No response

Anything else?

No response

Are you willing to submit a PR?

  • I'm willing to submit a PR!
@michaeljmarshall michaeljmarshall added type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages area/client component/client-java area/authn labels Apr 14, 2023
@sijie sijie mentioned this issue Apr 14, 2023
Open
2 tasks
@github-actions
Copy link

The issue had no activity for 30 days, mark with Stale label.

@github-actions github-actions bot added the Stale label May 15, 2023
@MMirelli
Copy link
Contributor

I am trying to solve this one.

@github-actions github-actions bot removed the Stale label May 17, 2023
@MMirelli MMirelli linked a pull request May 19, 2023 that will close this issue
Open
15 tasks
@github-actions
Copy link

The issue had no activity for 30 days, mark with Stale label.

@github-actions github-actions bot added the Stale label Jun 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/authn area/client Stale type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[fix][client]Add support to invalidate client OAuth2 tokens MMirelli/pulsar
3 participants
@codelipenghui @MMirelli @michaeljmarshall