Support OAUTHBEARER SASL mechanism in HonoClient and service implementations #530
Comments
|
I stuck into the same issue. I'm not sure how the adapter using HonoClient should react in this case (if the hono client doesn't handle this by itself). |
They will need to be able to handle such errors in any case because the protocol adapter might not be able to reconnect at all. Or the protocol adapter instance might be shut down and re-scheduled to another node by Kubernetes. |
|
They may just give up in this case. So, the adapter should do its best to handle the events without returning them to device. Of course 100% guaranty form the adapter side is not possible. |
|
@sophokles73 I want to take a look into this but is wondering if its still an issue? |
|
@Alfusainey it is currently not a priority for me. However, if you would like to work on it, be my guest ... |
Currently, components authenticate each other based on SASL PLAIN. However, under the hood, the server components forward the credentials provided by the client to Hono Auth in order to retrieve a JWT asserting the client's identity and authorities.
This mechanism has the big drawback of requiring the server to close the connection with the client once the token expires in order to trigger the client to start a new SASL handshake so that the server can retrieve a new token from Hono Auth.
It seems more desirable to allow the client to authenticate using a token in the first place. This way, the client can also refresh the token on its own behalf and update the token on the server over the (still) existing connection using e.g. AMQP 1.0 Claims based Security.
See A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth
The text was updated successfully, but these errors were encountered: