Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Testing on qecp1 with an Access Token TTL of 3 minutes showed that records beginning import failed with a 401 Unauthorized status after this time. This indicates that the import process fails when the access token expires without being refreshed.

  • Reproduced Reproducible on evr2

Possible solutions

  1. Refreshing the client token by backend modules making the request (seems like the best approach).
    Drawbacks:

    • Set “Refresh Token Max Reuse” to N > 0
      Right after the start of the import, a new AT+RT pair needs to be obtained to avoid situations where the RT is invalidated due to the user logging out or obtaining a new token. Additionally, if the value of this Refresh Token Max Reuse is strictly monitored to match the number of modules, it might work. However, if an unauthorized party accesses the key and requests a new pair of tokens, one of the modules could fail with an exception.

    • Drawbacks: A module must store a token pair for a specific jobExecutionId during operation. After a reboot, the module receives the token pair from a Kafka message. However, if that token pair has already been used to request new tokens, and the Refresh Token Max Reuse limit is reached, the module cannot obtain a new token pair. This creates a potential failure point, as the module won't be able to refresh tokens after a reboot, impacting its ability to continue the job.

  2. Obtaining a #SYS Token that does not expire: (Refer to comment).

    • The ticket linked to this comment is currently in the OPEN state, so it's uncertain how well this approach works.

    • Drawbacks: The data import process relies on user permissions, which is why a client token is required.

  3. Handling this token at the gateway:
    Drawbacks: The gateway must recognize the token used to start the data import (DI) as special and allow requests from data import with the old AT+RT pairSeparate token storage (Redis or a database schema):

    • This solution allows tokens to be stored by userId and retrieved as needed.

    • Drawbacks: Security issues (Restricting access to storage). There's a risk of desynchronization between the storage and Keycloak. Additionally, maintaining the storage introduces extra overhead, and performance issues may arise.

  4. Broadcast token distribution (Kafka, RabbitMQ, ActiveMQ):

    • Tokens are sent through messages, allowing synchronization across modules.

    • Drawbacks: It requires complex configuration and maintenance. Message delays or losses are also risky, leading to authorization issues.