Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token based authentication integration with core extension #3063

Merged
merged 30 commits into from
Dec 20, 2024
Merged

Token based authentication integration with core extension #3063

merged 30 commits into from
Dec 20, 2024

Conversation

ggivo
Copy link
Contributor

@ggivo ggivo commented Nov 28, 2024
edited
Loading

Description:
This PR Provides the required changes to integrate the token based authentication using the core module from redis-authx.

TokenBasedRedisCredentialsProvider is the main component which handles the id provider creation and management as well as glueing the renewal process to lettuce connection management.

An instance of TokenBasedRedisCredentialsProvider should be provided to Letuce connection through respective RedisUri. In addtion ClientOptions.ReauthenticateBehavior.ON_NEW_CREDENTIALS should be configured on the RedisClient

TokenBasedRedisCredentialsProvider lifecycle is not controlled by the RedisClient itself and need to me managed externaly. TokenBasedRedisCredentialsProvider.shutdown() method need to be invoked once no longer needed to stop renewing tokens.

The configuration and creation of TokenBasedRedisCredentialsProvider is achieved through identity provider-specific configuration builders.

MS EntraID identity provider is already provided within redis-authx.

A basic usage would look like;

 TokenAuthConfig tokenAuthConfig = EntraIDTokenAuthConfigBuilder.builder()
        .clientId("YOUR_CLIENT_ID").secret("YOUR_SECRET")
        .authority("YOUR_AUTHORITY").scopes("SCOPES").build();

TokenBasedRedisCredentialsProvider credentials = new TokenBasedRedisCredentialsProvider(tokenAuthConfig);

RedisURI uri = RedisURI.builder()
    .withHost("REDIS_HOST")
    .withPort("REDIS_PORT")
    .withAuthentication(credentials).build();  // use pre-configured token based credential provider

RedisClient client = RedisClient.create(uri);
client.setOptions(ClientOptions.builder()
         //enable re-authentication on new credentials
        .reauthenticateBehavior(ClientOptions.ReauthenticateBehavior.ON_NEW_CREDENTIALS)  
        .build());

connection = client.connect()  
...
credentials.close()
redisClient.shutdown();

Make sure that:

  • You have read the contribution guidelines.
  • You have created a feature request first to discuss your contribution intent. Please reference the feature request ticket number in the pull request.
  • You applied code formatting rules using the mvn formatter:format target. Don’t submit any formatting related changes.
  • You submit test cases (unit or integration tests) that back your changes.

@ggivo ggivo changed the title Token based auth Token based authentication integration with core extension Nov 28, 2024
@ggivo ggivo force-pushed the token-based-auth branch 2 times, most recently from cb51afa to ec791b2 Compare November 28, 2024 09:17
atakavci
atakavci reviewed Dec 1, 2024
View reviewed changes
Copy link
Collaborator

@atakavci atakavci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i can anticipate what BaseRedisAuthenticationHandler holds but lets see the actual impl before moving further.

src/main/java/io/lettuce/core/RedisAuthenticationHandler.java Outdated Show resolved Hide resolved
src/main/java/io/lettuce/authx/TokenBasedRedisCredentialsProvider.java Show resolved Hide resolved
@ggivo
Support for StreamingCredentials
91871b6 
     This enables use cases like credential rotation and token based auth without client disconnect. Especially with Pub/Sub clients will reduce the chnance of missing events.
ggivo added 3 commits December 8, 2024 14:09
@ggivo
Conditionally enable connection reauthentication based on client setting
5858286 
DEFAULT_REAUTHENTICATE_BEHAVIOUR
@ggivo
Client setting for enabling reauthentication
779edca 
  - Moved Authentication handler to DefaultEndpoint
  - updated since 6.6.0
@ggivo
formating
21bf696
ggivo added 7 commits December 10, 2024 07:13
@ggivo
dispath using connection handler
6f46022
@ggivo
Support multi with re-auth
b32f84c 
Defer the re-auth operation in case there is on-going multi
Tx in lettuce need to be externally synchronised when used in multithreaded env. Since re-auth happens from different thread we need to make sure it does not happen while there is ongoing transaction.
@ggivo
Fix EndpointId missing in events
7eaaf6b
@ggivo
format
086ccf3
@ggivo
Add unit tests for setCredenatials
61158f2
@ggivo
Skip preProcessing of auth command to avoid replacing the credential …
9a0e513 
…provider with static one provider

Add unit tests for setCredentials
@ggivo
clean up - remove dead code
6ec2846
tishun and others added 4 commits December 17, 2024 14:53
@tishun
Moved almost all code inside the new handler
110eb1a
@ggivo
fix inTransaction lock with dispatch command batch
8e9ab48
@ggivo
Remove StreamingCredentialsProvider interface.
746dd82 
move credentials() method to RedisCredentialsProvider.

Resolve issue with unsafe cast after extending RedisCredentialsProvider with supportsStreaming() method
@ggivo
Add authentication handler to ClusterPubSub connections
31341f1
ggivo added 3 commits December 18, 2024 11:54
@ggivo
Merge branch 'main' into streaming-auth
6891281
@ggivo
Token based auth integration with core extension
77c5058 
Provide a way for lettuce clients to use token-based authentication.
TOKENs come with a TTL. After a Redis client authenticates with a TOKEN, if they didn't renew their authentication we need to evict (close) them. The suggested approach is to leverage the existing CredentialsProvider and add support for streaming credentials to handle token refresh scenarios. Each time a new token is received connection is reauthenticated.
@ggivo
rebase to address "oid" core-autx lib change
3c6dbc9 
formating
ggivo added 2 commits December 18, 2024 12:16
@ggivo
Add EntraId integration tests
00de1ce 
   Verify authentication using Azure AD with service principals
@ggivo
StreamingCredentialsProvider replaced with RedisCredentialsProvider.s…
0e0f502 
…upportsStreaming()
@ggivo ggivo self-assigned this Dec 18, 2024
tishun
tishun approved these changes Dec 19, 2024
View reviewed changes
Copy link
Collaborator

@tishun tishun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

src/main/java/io/lettuce/authx/TokenBasedRedisCredentialsProvider.java Show resolved Hide resolved
src/main/java/io/lettuce/authx/TokenBasedRedisCredentialsProvider.java Outdated Show resolved Hide resolved
src/main/java/io/lettuce/authx/TokenBasedRedisCredentialsProvider.java Outdated Show resolved Hide resolved
tishun
tishun reviewed Dec 19, 2024
View reviewed changes
pom.xml Outdated Show resolved Hide resolved
tishun
tishun reviewed Dec 19, 2024
View reviewed changes
pom.xml Outdated Show resolved Hide resolved
tishun
tishun reviewed Dec 19, 2024
View reviewed changes
pom.xml Outdated Show resolved Hide resolved
@tishun tishun marked this pull request as ready for review December 20, 2024 13:46
@ggivo
add java doc for
369341c 
   TokenBasedRedisCredentialsProvider
@tishun tishun added this to the 6.6.0.RC1 milestone Dec 20, 2024
@tishun tishun merged commit eff243d into redis:main Dec 20, 2024
4 checks passed
tishun added a commit that referenced this pull request Dec 20, 2024
@ggivo @tishun
Token based authentication integration with core extension (#3063)
253cd6f 
* Support for StreamingCredentials

     This enables use cases like credential rotation and token based auth without client disconnect. Especially with Pub/Sub clients will reduce the chnance of missing events.

* Tests & publish ReauthEvent

* Clean up & Format & Add ReauthenticateEvent test

* Conditionally enable connection reauthentication based on client setting
DEFAULT_REAUTHENTICATE_BEHAVIOUR

* Client setting for enabling reauthentication
  - Moved Authentication handler to DefaultEndpoint
  - updated since 6.6.0

* formating

* resolve conflict with main

* format

* dispath using connection handler

* Support multi with re-auth
Defer the re-auth operation in case there is on-going multi
Tx in lettuce need to be externally synchronised when used in multithreaded env. Since re-auth happens from different thread we need to make sure it does not happen while there is ongoing transaction.

* Fix EndpointId missing in events

* format

* Add unit tests for setCredenatials

* Skip preProcessing of auth command to avoid replacing the credential provider with static one provider

Add unit tests for setCredentials

* clean up - remove dead code

* Moved almost all code inside the new handler

* fix inTransaction lock with dispatch command batch

* Remove StreamingCredentialsProvider interface.

move credentials() method to RedisCredentialsProvider.

Resolve issue with unsafe cast after extending RedisCredentialsProvider with supportsStreaming() method

* Add authentication handler to ClusterPubSub connections

* Token based auth integration with core extension

Provide a way for lettuce clients to use token-based authentication.
TOKENs come with a TTL. After a Redis client authenticates with a TOKEN, if they didn't renew their authentication we need to evict (close) them. The suggested approach is to leverage the existing CredentialsProvider and add support for streaming credentials to handle token refresh scenarios. Each time a new token is received connection is reauthenticated.

* rebase to address "oid" core-autx lib change
formating

* Add EntraId integration tests
   Verify authentication using Azure AD with service principals

* StreamingCredentialsProvider replaced with RedisCredentialsProvider.supportsStreaming()

* pub/sub test basic functionality with entraid auth

* Update src/main/java/io/lettuce/authx/TokenBasedRedisCredentialsProvider.java

Co-authored-by: Tihomir Krasimirov Mateev <[email protected]>

* Addressing review  comments from @tishun

* Bump redis-authx-core & redis-authx-entraid from 0.1.0-SNAPSHOT to 0.1.1-beta1

* add java doc for
   TokenBasedRedisCredentialsProvider

---------

Co-authored-by: Tihomir Mateev <[email protected]>
Co-authored-by: Tihomir Krasimirov Mateev <[email protected]>
thachlp pushed a commit to thachlp/lettuce that referenced this pull request Dec 31, 2024
@ggivo @tishun @thachlp
Token based authentication integration with core extension (redis#3063)
ffc0cd8 
* Support for StreamingCredentials

     This enables use cases like credential rotation and token based auth without client disconnect. Especially with Pub/Sub clients will reduce the chnance of missing events.

* Tests & publish ReauthEvent

* Clean up & Format & Add ReauthenticateEvent test

* Conditionally enable connection reauthentication based on client setting
DEFAULT_REAUTHENTICATE_BEHAVIOUR

* Client setting for enabling reauthentication
  - Moved Authentication handler to DefaultEndpoint
  - updated since 6.6.0

* formating

* resolve conflict with main

* format

* dispath using connection handler

* Support multi with re-auth
Defer the re-auth operation in case there is on-going multi
Tx in lettuce need to be externally synchronised when used in multithreaded env. Since re-auth happens from different thread we need to make sure it does not happen while there is ongoing transaction.

* Fix EndpointId missing in events

* format

* Add unit tests for setCredenatials

* Skip preProcessing of auth command to avoid replacing the credential provider with static one provider

Add unit tests for setCredentials

* clean up - remove dead code

* Moved almost all code inside the new handler

* fix inTransaction lock with dispatch command batch

* Remove StreamingCredentialsProvider interface.

move credentials() method to RedisCredentialsProvider.

Resolve issue with unsafe cast after extending RedisCredentialsProvider with supportsStreaming() method

* Add authentication handler to ClusterPubSub connections

* Token based auth integration with core extension

Provide a way for lettuce clients to use token-based authentication.
TOKENs come with a TTL. After a Redis client authenticates with a TOKEN, if they didn't renew their authentication we need to evict (close) them. The suggested approach is to leverage the existing CredentialsProvider and add support for streaming credentials to handle token refresh scenarios. Each time a new token is received connection is reauthenticated.

* rebase to address "oid" core-autx lib change
formating

* Add EntraId integration tests
   Verify authentication using Azure AD with service principals

* StreamingCredentialsProvider replaced with RedisCredentialsProvider.supportsStreaming()

* pub/sub test basic functionality with entraid auth

* Update src/main/java/io/lettuce/authx/TokenBasedRedisCredentialsProvider.java

Co-authored-by: Tihomir Krasimirov Mateev <[email protected]>

* Addressing review  comments from @tishun

* Bump redis-authx-core & redis-authx-entraid from 0.1.0-SNAPSHOT to 0.1.1-beta1

* add java doc for
   TokenBasedRedisCredentialsProvider

---------

Co-authored-by: Tihomir Mateev <[email protected]>
Co-authored-by: Tihomir Krasimirov Mateev <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atakavci atakavci atakavci left review comments

@tishun tishun tishun approved these changes

Assignees

@ggivo ggivo

Labels
None yet
Projects
None yet
Milestone
6.6.0.BETA1
Development

Successfully merging this pull request may close these issues.
3 participants
@ggivo @tishun @atakavci