Mark all connections for closure on LDAP Auth Credential expiration #731
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bigmontz
force-pushed
the
4.3-retry-on-authorization-error
branch
2 times, most recently
from
c688fcc to
9f6beed
Compare
When an authenticated connection is made by the drivers, the server takes the raw credentials passed in the HELLO message and uses them to generate a token which is then cached and used to authorize all subsequent requests. In some implementations of auth (principally LDAP), this cached token can expire and the original raw credentials are required to generate a new token. Since these raw credentials are not stored on the server and are only provided during connection initialization, the only way currently to refresh these tokens is by terminating the existing connection and create new connections. When the driver receives an error with status `Status.Security.AuthorizationExpired` this should have the effect of marking all current connections as stale/invalid, forcing the driver to establish new connections and therefore refreshing the credentials cached on the server. Existing connections which are currently in use should not be interrupted.
bigmontz
force-pushed
the
4.3-retry-on-authorization-error
branch
from
9f6beed to
abadbd6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When an authenticated connection is made by the drivers, the server takes the raw credentials passed in the HELLO message and uses them to generate a token which is then cached and used to authorize all subsequent requests.
In some implementations of auth (principally LDAP), this cached token can expire and the original raw credentials are required to generate a new token. Since these raw credentials are not stored on the server and are only provided during connection initialization, the only way currently to refresh these tokens is by terminating the existing connection and create new connections.
When the driver receives an error with status
Neo.ClientError.Security.AuthorizationExpiredthis should have the effect of marking all current connections as stale/invalid, forcing the driver to establish new connections and therefore refreshing the credentials cached on the server. Existing connections which are currently in use should not be interrupted.