Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token based authentication integration with core extension #3063

Draft
wants to merge 26 commits into
base: main
Choose a base branch
from
Draft

Token based authentication integration with core extension #3063

wants to merge 26 commits into from

Conversation

ggivo
Copy link
Contributor

@ggivo ggivo commented Nov 28, 2024
edited
Loading

Description:
This PR Provides the required changes to integrate the token based authentication using the core module from redis-authx.

TokenBasedRedisCredentialsProvider is the main component which handles the id provider creation and management as well as glueing the renewal process to lettuce connection management.

An instance of TokenBasedRedisCredentialsProvider should be provided to Letuce connection through respective RedisUri. In addtion ClientOptions.ReauthenticateBehavior.ON_NEW_CREDENTIALS should be configured on the RedisClient

TokenBasedRedisCredentialsProvider lifecycle is not controlled by the RedisClient itself and need to me managed externaly. TokenBasedRedisCredentialsProvider.shutdown() method need to be invoked once no longer needed to stop renewing tokens.

The configuration and creation of TokenBasedRedisCredentialsProvider is achieved through identity provider-specific configuration builders.

MS EntraID identity provider is already provided within redis-authx.

A basic usage would look like;

 TokenAuthConfig tokenAuthConfig = EntraIDTokenAuthConfigBuilder.builder()
        .clientId("YOUR_CLIENT_ID").secret("YOUR_SECRET")
        .authority("YOUR_AUTHORITY").scopes("SCOPES").build();

TokenBasedRedisCredentialsProvider credentials = new TokenBasedRedisCredentialsProvider(tokenAuthConfig);

RedisURI uri = RedisURI.builder()
    .withHost("REDIS_HOST")
    .withPort("REDIS_PORT")
    .withAuthentication(credentials).build();  // use pre-configured token based credential provider

RedisClient client = RedisClient.create(uri);
client.setOptions(ClientOptions.builder()
         //enable re-authentication on new credentials
        .reauthenticateBehavior(ClientOptions.ReauthenticateBehavior.ON_NEW_CREDENTIALS)  
        .build());

connection = client.connect()  
...
credentials.close()
redisClient.shutdown();

Make sure that:

  • You have read the contribution guidelines.
  • You have created a feature request first to discuss your contribution intent. Please reference the feature request ticket number in the pull request.
  • You applied code formatting rules using the mvn formatter:format target. Don’t submit any formatting related changes.
  • You submit test cases (unit or integration tests) that back your changes.

@ggivo ggivo changed the title Token based auth Token based authentication integration with core extension Nov 28, 2024
@ggivo ggivo force-pushed the token-based-auth branch 2 times, most recently from cb51afa to ec791b2 Compare November 28, 2024 09:17
atakavci
atakavci reviewed Dec 1, 2024
View reviewed changes
Copy link
Collaborator

@atakavci atakavci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i can anticipate what BaseRedisAuthenticationHandler holds but lets see the actual impl before moving further.

src/main/java/io/lettuce/core/RedisAuthenticationHandler.java Outdated Show resolved Hide resolved
src/main/java/io/lettuce/authx/TokenBasedRedisCredentialsProvider.java Show resolved Hide resolved
@ggivo
Support for StreamingCredentials
91871b6 
     This enables use cases like credential rotation and token based auth without client disconnect. Especially with Pub/Sub clients will reduce the chnance of missing events.
ggivo added 3 commits December 8, 2024 14:09
@ggivo
Conditionally enable connection reauthentication based on client setting
5858286 
DEFAULT_REAUTHENTICATE_BEHAVIOUR
@ggivo
Client setting for enabling reauthentication
779edca 
  - Moved Authentication handler to DefaultEndpoint
  - updated since 6.6.0
@ggivo
formating
21bf696
ggivo added 7 commits December 10, 2024 07:13
@ggivo
dispath using connection handler
6f46022
@ggivo
Support multi with re-auth
b32f84c 
Defer the re-auth operation in case there is on-going multi
Tx in lettuce need to be externally synchronised when used in multithreaded env. Since re-auth happens from different thread we need to make sure it does not happen while there is ongoing transaction.
@ggivo
Fix EndpointId missing in events
7eaaf6b
@ggivo
format
086ccf3
@ggivo
Add unit tests for setCredenatials
61158f2
@ggivo
Skip preProcessing of auth command to avoid replacing the credential …
9a0e513 
…provider with static one provider

Add unit tests for setCredentials
@ggivo
clean up - remove dead code
6ec2846
tishun and others added 4 commits December 17, 2024 14:53
@tishun
Moved almost all code inside the new handler
110eb1a
@ggivo
fix inTransaction lock with dispatch command batch
8e9ab48
@ggivo
Remove StreamingCredentialsProvider interface.
746dd82 
move credentials() method to RedisCredentialsProvider.

Resolve issue with unsafe cast after extending RedisCredentialsProvider with supportsStreaming() method
@ggivo
Add authentication handler to ClusterPubSub connections
31341f1
ggivo added 3 commits December 18, 2024 11:54
@ggivo
Merge branch 'main' into streaming-auth
6891281
@ggivo
Token based auth integration with core extension
77c5058 
Provide a way for lettuce clients to use token-based authentication.
TOKENs come with a TTL. After a Redis client authenticates with a TOKEN, if they didn't renew their authentication we need to evict (close) them. The suggested approach is to leverage the existing CredentialsProvider and add support for streaming credentials to handle token refresh scenarios. Each time a new token is received connection is reauthenticated.
@ggivo
rebase to address "oid" core-autx lib change
3c6dbc9 
formating
ggivo added 2 commits December 18, 2024 12:16
@ggivo
Add EntraId integration tests
00de1ce 
   Verify authentication using Azure AD with service principals
@ggivo
StreamingCredentialsProvider replaced with RedisCredentialsProvider.s…
0e0f502 
…upportsStreaming()
@ggivo ggivo self-assigned this Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atakavci atakavci atakavci left review comments

Assignees

@ggivo ggivo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ggivo @atakavci @tishun