Add the ability to Refresh Auth Token Credentials #891
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
HI and thank you very much for taking the time to work on this PR. I am really sorry, but I have to close this PR. We've been working on a more general solution for this and other use-cases. There is no estimate yet as to when it will be released but you can see its current state here: #890 This is planned across all official drivers. Again, I'm sorry for this. Consider contacting us before starting to work a feature PR to help avoid such unlucky situations. Also, for future reference, please check the |
robsdedude
added a commit
that referenced
this pull request
Apr 12, 2023
# ADR 012: re-authentication This PR introduces two new auth mechanics for different use-cases 1) Auth Rotation 2) Session Auth (a.k.a. user switching) **Note that all APIs introduced in this PR are previews** See https://github.com/neo4j/neo4j-python-driver/wiki/preview-features ## 1) Auth Rotation This is used for auth tokens that is expected to expire (e.g., SSO). A `neo4j.auth_management.AuthManager` instance (or `neo4j.auth_management.AsyncAuthManager` for async driver) may be passed to the driver instead of a static auth token. ```python import neo4j from neo4j.auth_management import AuthManager class MyManager(AuthManager): ... # see API dos for details with neo4j.GraphDatabase.driver( "neo4j://example.com:7687", auth=MyManager(), ) as driver: ... ``` The easiest way to get started is using the provided `AuthManager` implementation. For example: ```python import neo4j from neo4j.auth_management import ( AuthManagers, ExpiringAuth, ) def auth_provider(): # some way to getting a token sso_token = get_sso_token() # assume we know our tokens expire every 60 seconds expires_in = 60 return ExpiringAuth( auth=neo4j.bearer_auth(sso_token), # Include a little buffer so that we fetch a new token # *before* the old one expires expires_in=expires_in - 10 ) with neo4j.GraphDatabase.driver( "neo4j://example.com:7687", auth=AuthManagers.temporal(auth_provider) ) as driver: ... ``` **Note** This API is explicitly *not* designed for switching users. In fact, the token returned by each manager must always belong to the same identity. Switching identities using the `AuthManager` is undefined behavior. ## 2) Session Auth For the purpose of switching users, `Session`s can be configured with a static auth token. This is very similar to impersonation in that all work in the session will be executed in the security context of the user associated with the auth token. The major difference is that impersonation does not require or verify authentication information of the target user, however it requires the impersonating user to have the permission to impersonate. **Note** This requires Bolt protocol version 5.3 or higher (Neo4j DBMS 5.8+). ```python import neo4j with neo4j.GraphDatabase.driver( "neo4j://example.com:7687", auth=("user1", "password1"), ) as driver: with driver.session(database="neo4j") as session: ... # do some work as user1 with driver.session(database="neo4j", auth=("user2", "password2")) as session: ... # do some work as user2 ``` ## References Depends on: * neo4j-drivers/testkit#539 Related PRs: * #891 Issues: * closes #834
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add the ability to Refresh Auth Token Credentials
Currently when credentials expire, driver will continue trying to connect with the outdated credentials. There is no ability to update or refresh login credentials (See #834).
This PR introduces the ability to pass an optional
credentials_refresherfunction to an authToken object which will change credentials as they become obsolete.There are no breaking changes introduced in this PR.
There is a test which uses a simple credentials_refresher to validate that these modifications do not break serialization.
Intended use
I'm a first-time contributor and have just signed the CLA