Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add proxy_connection_token option to call connect proxy with token #612

Closed
wants to merge 1 commit into from
Closed

Add proxy_connection_token option to call connect proxy with token #612

wants to merge 1 commit into from

Conversation

FZambia
Copy link
Member

@FZambia FZambia commented Feb 26, 2023
edited
Loading

Proposed changes

Adding proxy_connection_token boolean option. When it's set to true:

  1. Centrifugo starts proxying connection token to the configured connect proxy. Centrifugo does not check token in any way – fully relying on the app backend to do this.
  2. On the app backend token can be validated and connection expiration set. At some point in the future getToken function on the client side will be called.
  3. Users can provide updated token to client SDK and SDK sends it to Centrifugo.
  4. Centrifugo understands that this is a token which should be proxied to the backend (because proxy_connection_token on) and sends refresh HTTP proxy request to the backend with new token. Backend validates it and returns new expiration time to Centrifugo.
  5. Centrifugo sends refresh response to the client like it does with Centrifugo native JWT case.

So this is a workflow which allows delegating token validation to the app backend and at the same time inherit all the logic of Centrifugo native JWT. Application backend is fully responsible for token expiration checks.

Inside connect proxy handler application should:

  1. Validate token, check signature, expiration time, etc. I.e. do all the token checks.
  2. If token is valid – then return connect proxy result with user and expiration time (if needed).
  3. If token expired then application should return error 109 token expired in connect proxy response.
  4. If token invalid then application should return disconnect 3500 invalid token in connect proxy response.

Inside refresh proxy handler application should:

  1. Validate token, check signature, expiration time, etc. I.e. do all the token checks. We also suggest to check that user received from Centrifugo matches user in token.
  2. If token is valid – then return refresh proxy result with new expiration time (if needed).
  3. If token expired then application should return "result": {"expired": true} in refresh proxy response.
  4. If token invalid then application should return disconnect 3500 invalid token in refresh proxy response (TODO: this is not possible now, need to add this logic to the refresh proxy handler).

Relates centrifugal/centrifuge-js#216

@FZambia FZambia mentioned this pull request Feb 26, 2023
Closed
@FZambia
Copy link
Member Author

FZambia commented Mar 7, 2023

After considering a bit more: it works, but it mostly eliminates all the performance benefits of JWTs, so trying to solve the related issue in alternative way – fighting with root cause which prevents using native JWT mechanism of Centrifugo instead of trying to introduce custom token workflow.

@FZambia FZambia closed this Apr 16, 2023
@FZambia
Copy link
Member Author

FZambia commented Apr 16, 2023

Closed in favour of #638

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@FZambia