Runtime Authorization/Security reload #3004
Comments
|
100% agree and this has been in discussions for awhile. We will be turning our attention more towards the clients soon (we have alot!) and this as well as general simplifications, smart reconnect etc. are all on the table. |
|
Thanks, @derekcollison, any idea where I can track this table? Surely many clients will benefit from this feature. |
|
Might make sense to create a discussion from this. |
|
Any info on this? Where would you like to create a discussion? |
|
It's very useful for me |
|
In your scenario, how would the new JWT be delivered to the client in order for the client to resend to the server? |
|
Hi @derekcollison. I plan to sign valid user JWT using the Java back-end and NATS Account in my scenario. |
|
But you would need to get that to the end clients so they can resend to the server to change the JWT "on file" for the connection. |
|
Hi @derekcollison, you didn't need any JWT file when you signed ephemeral User's JWT. I use Java SDK JwtUtils to generate a JWT token and authorize the connection. So no file is needed. You can create the token using the NATS account signing key (decentralized security).
I hope this helps |
|
Yes that helps, what I was asking you solved for but the app/client requesting new tokens. That is what I meant by the JWT needs to make it way to the app somehow. |
|
Hey folks. Any forecast on when this could be included in the NATS server? I can contribute to the Java and JS client-side implementation. Or even Go-Lang if you give me some hints on where to take a look. |
|
We are doing some client planning now (this is more client then server), will keep you posted. |
|
As a suggestion, I think it would be reasonable to unsubscribe from all the previous subscriptions that the client has (after changing the JWT key). |
|
Hello. |
|
Yes we are progressing, lots of different requirements from different users/customers but you should see something hopefully before end of year. |
|
@derekcollison Are there any updates around this issue? Is it still looking as something that can be available by the end of the year? |
|
This is planned for the 2.10 release, that and auth (and generic) callouts. The clients will need to be updated after server properly supports this but it will happen as part of the auth callout work with is the top priority after any bug fixes etc. |
|
I will code this out next week. |
Is there any progress? |
|
Yes its completed and in the dev branch and part of the dev nightly builds which will become 2.10 probably sometime in May. The auth callout also has its own ADR which has been kept up to date. So all there already and ready for the 2.10 release. |
|
Can this be accomplished now by updating the UserJWT on Opts? |
|
@brettinternet unfortunately, no. |
Feature Request
The NATS server/client could support runtime auth/security context reload.
Use Case:
If I am connected to the NATS server with a JWT token for the X.Y.Z topic, I should be able to change my JWT without re-connecting to the server.
This could be a chat application. So you have access to the a.b.c session, then requesting for access to the x.y.z session and change your JWT without the required re-connect.
Proposed Change:
The changes should be made for both - the server and the client
Who Benefits From The Change(s)?
I think any client application that requires some User JWT will benefit from this feature.
Alternative Approaches
The main goal is to do this without re-connect. I don't see that many options here.
The text was updated successfully, but these errors were encountered: