rabbitmq-dotnet-client icon indicating copy to clipboard operation
rabbitmq-dotnet-client copied to clipboard

Published 20 hours ago verified publisher icon rabbitmq

Support credential refresh for OAuth 2/JWT authentication scenarios

Open michaelklishin opened this issue 4 years ago • 1 comments

Modern RabbitMQ versions support OAuth 2/JWT token authentication.

In practical terms this means that on the client side, a JWT token has to be provided in the password field. The username will be ignored (all relevant information will be taken from the decoded token). You can make such a connection today, there's nothing to change in the client.

However, JWT tokens have limited shelf life. When they expire, no operations performed by a client will be accepted as token validation will fail. Since the protocols RabbitMQ supports assume long lived connections, there has to be a refresh mechanism. OAuth 2 clients have a different token, called the refresh token, that can be used to obtain a new JWT token with a refreshed expiration period.

In the Java client, CredentialsProvider is an interface that allows for the end user to provide a "refresh function" that, in the case of OAuth 2, will use a suitable OAuth 2 vendor client library and a refresh token to produce a new token and replace it on a connection. connection.update-secret is a new protocol extension for AMQP 0-9-1 that makes it possible to update the token for an already open connection.

The connection.update-secret protocol method is already supported in this client and can be used manually. However, this is somewhat inconvenient since the timing of updates is then up to the application developers.

This client needs its own version of a CredentialsProvider (possibly under a different name, since in the .NET world this may be an overloaded term) which is a pluggable abstraction that is expected to do a few things

  • Accepts an operation that the user provides to update the secret (JWT token) using any library or means necessary (such as a refresh token)
  • Update connection state to use the newly returned secret
  • Issues a connection.update-secret operation on the connection to update the secret on the server end

michaelklishin avatar Oct 20 '20 06:10 michaelklishin

Relevant Java client bits:

michaelklishin avatar Oct 20 '20 06:10 michaelklishin

Are you still aiming for fixing this issue in the 7.0.0 release?

zapodot avatar Aug 22 '23 05:08 zapodot

@zapodot no, this will be addressed by https://github.com/rabbitmq/rabbitmq-dotnet-client/pull/1346 and shipped in 6.6.0, if I can ever get time away from supporting RabbitMQ customers that pay for support.

lukebakken avatar Aug 22 '23 13:08 lukebakken