Support credential refresh for OAuth 2/JWT authentication scenarios #956
Description
Modern RabbitMQ versions support OAuth 2/JWT token authentication.
In practical terms this means that on the client side, a JWT token has to be provided in the password field. The username will be ignored (all relevant information will be taken from the decoded token).
You can make such a connection today, there's nothing to change in the client.
However, JWT tokens have limited shelf life. When they expire, no operations performed by a client will be accepted as token validation will fail. Since the protocols RabbitMQ supports assume long lived connections, there has to be a refresh mechanism. OAuth 2 clients have a different token, called the refresh token, that can be used to obtain a new JWT token with a refreshed expiration period.
In the Java client, CredentialsProvider is an interface that allows for the end user to provide a "refresh function" that, in the case of OAuth 2, will use a suitable OAuth 2 vendor client library and a refresh token to produce a new token and replace it on a connection. connection.update-secret is a new protocol extension for AMQP 0-9-1 that makes it possible
to update the token for an already open connection.
The connection.update-secret protocol method is already supported in this client and can be used manually. However, this is somewhat inconvenient since the timing of updates is then up to the application developers.
This client needs its own version of a CredentialsProvider (possibly under a different name, since in the .NET world this may be an overloaded term) which is a pluggable abstraction that is expected to do a few things
- Accepts an operation that the user provides to update the secret (JWT token) using any library or means necessary (such as a refresh token)
- Update connection state to use the newly returned secret
- Issues a
connection.update-secretoperation on the connection to update the secret on the server end