Introduce auth rotation and session auth support #890
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update according ADR change + add TestKit backend support and unit tests
* move backwards compat option to driver level config * adjust `verify_authentication` and its backwards compat mode * more tests * Extended TestKit support * Fixed bugs found through TestKit
Implement change to ADR neo-technology/drivers-adr#60 The auth token provider function has been replaced by a more general-purpose auth token manager interface.
Token expired code should be marked retryable iff the driver was configured with a (non-static) auth token manager. neo-technology/drivers-adr#64
AuthManagers.temporal -> AuthManagers.expiration_based TemporalAuth-> ExpiringAuth
Signed-off-by: Andy Heap <[email protected]>
AndyHeap-NeoTech
approved these changes
Apr 11, 2023
robsdedude
changed the title
robsdedude
added a commit
to robsdedude/neo4j-python-driver
that referenced
this pull request
Aug 11, 2023
This PR updates the preview feature "re-auth" (introduced in [PR neo4j#890](neo4j#890)) significantly. The changes allow for catering to a wider range of use cases including simple password rotation. Changes (⚠️ marks breaking changes): * Removed `TokenExpiredRetryable` exception. Even though it wasn't marked preview, it was introduced with and only used for re-auth. It now longer serves any purpose. * The `AuthManager` and `AsyncAuthManager` abstract classes were changed. The method `on_auth_expired(self, auth: _TAuth) -> None` was removed in favor of `def handle_security_exception(self, auth: _TAuth, error: Neo4jError) -> bool`. See the API docs for more details. * The factories in `AsyncAuthManagers`a nd `AuthManagers` were changed. * `expiration_based` was renamed to `bearer`. * `basic` was added to cater for password rotation.
robsdedude
added a commit
to robsdedude/neo4j-python-driver
that referenced
this pull request
Aug 11, 2023
This PR updates the preview feature "re-auth" (introduced in [PR neo4j#890](neo4j#890)) significantly. The changes allow for catering to a wider range of use cases including simple password rotation. (⚠️ breaking) changes: * Removed `TokenExpiredRetryable` exception. Even though it wasn't marked preview, it was introduced with and only used for re-auth. It now longer serves any purpose. * The `AuthManager` and `AsyncAuthManager` abstract classes were changed. The method `on_auth_expired(self, auth: _TAuth) -> None` was removed in favor of `def handle_security_exception(self, auth: _TAuth, error: Neo4jError) -> bool`. See the API docs for more details. * The factories in `AsyncAuthManagers`a nd `AuthManagers` were changed. * `expiration_based` was renamed to `bearer`. * `basic` was added to cater for password rotation.
robsdedude
added a commit
to robsdedude/neo4j-python-driver
that referenced
this pull request
Aug 11, 2023
This PR updates the preview feature "re-auth" (introduced in [PR neo4j#890](neo4j#890)) significantly. The changes allow for catering to a wider range of use cases including simple password rotation. (⚠️ Breaking) changes: * Removed `TokenExpiredRetryable` exception. Even though it wasn't marked preview, it was introduced with and only used for re-auth. It now longer serves any purpose. * The `AuthManager` and `AsyncAuthManager` abstract classes were changed. The method `on_auth_expired(self, auth: _TAuth) -> None` was removed in favor of `def handle_security_exception(self, auth: _TAuth, error: Neo4jError) -> bool`. See the API docs for more details. * The factories in `AsyncAuthManagers`a nd `AuthManagers` were changed. * `expiration_based` was renamed to `bearer`. * `basic` was added to cater for password rotation.
robsdedude
added a commit
that referenced
this pull request
Aug 22, 2023
This PR updates the preview feature "re-auth" (introduced in [PR #890](#890)) significantly. The changes allow for catering to a wider range of use cases including simple password rotation. (⚠️ Breaking) changes: * Removed `TokenExpiredRetryable` exception. Even though it wasn't marked preview, it was introduced with and only used for re-auth. It now longer serves any purpose. * The `AuthManager` and `AsyncAuthManager` abstract classes were changed. The method `on_auth_expired(self, auth: _TAuth) -> None` was removed in favor of `def handle_security_exception(self, auth: _TAuth, error: Neo4jError) -> bool`. See the API docs for more details. * The factories in `AsyncAuthManagers`a nd `AuthManagers` were changed. * `expiration_based` was renamed to `bearer`. * `basic` was added to cater for password rotation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ADR 012: re-authentication
This PR introduces two new auth mechanics for different use-cases
Note that all APIs introduced in this PR are previews
See https://github.com/neo4j/neo4j-python-driver/wiki/preview-features
1) Auth Rotation
This is used for auth tokens that is expected to expire (e.g., SSO).
A
neo4j.auth_management.AuthManagerinstance(or
neo4j.auth_management.AsyncAuthManagerfor async driver) may be passedto the driver instead of a static auth token.
The easiest way to get started is using the provided
AuthManagerimplementation. For example:
Note
This API is explicitly not designed for switching users.
In fact, the token returned by each manager must always belong to the same
identity. Switching identities using the
AuthManageris undefined behavior.2) Session Auth
For the purpose of switching users,
Sessions can be configured with a staticauth token. This is very similar to impersonation in that all work in the
session will be executed in the security context of the user associated with
the auth token. The major difference is that impersonation does not require or
verify authentication information of the target user, however it requires
the impersonating user to have the permission to impersonate.
Note
This requires Bolt protocol version 5.3 or higher (Neo4j DBMS 5.8+).
References
Depends on:
Related PRs:
Issues: