Skip to content

[feature][websocket] Enforce access token expiration #24563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
huibertalblas wants to merge 12 commits into
base: master
Choose a base branch
from
Open

[feature][websocket] Enforce access token expiration #24563

huibertalblas wants to merge 12 commits into from

Conversation

@huibertalblas
Copy link
Contributor

@huibertalblas huibertalblas commented Jul 25, 2025

Fixes that the expiration time of an access token is ignored for Websocket connections.

PIP: 292

Motivation

When a client connects via Websockets and uses a token as authentication mechanism, the validity of the token is only checked when the connection is established. When the expiry time of the token has passed, the client remains connected.

This is insecure, and makes the websocket implementation unsuitable for a use case where the enforcement of the token expiry time is important.

Modifications

From a user perspective, a few changes are noticable:

  • In the server configuration the value "authenticationRefreshCheckSeconds" can be set to specify the interval with which to check if the supplied access token has expired. By default it is disabled (-1).
  • A websocket client can now receive a notification message indicating that the used access token is about to expire, and should be updated (AUTH_CHALLENGE).
  • A websocket client can now send a new access token over the existing websocket connection to keep the session active. (AUTH_RESPONSE).

The core code modification is made in AbstractWebSocketHandler.java

  • Here the periodic check of the exiration of the AuthMethod is implemented under 'onWebSocketConnect()'. (Inspired by this)
  • The function "checkAuth()" has been split up into "checkAuthentication()" and "checkAuthorization()". The content of the function has remained mostly the same.

Modifications for requesting and receiving a new access token from the client:

  • "PulsarWebsocketDecoder.java" has been added in order to centralise the message handling (Originally in ReaderHandler, ProducerHandler & ConsumerHandler).
  • Classes under "java/org/apache/pulsar/websocket/data/..." are added to be able to sent and receive ("AUTH_CHALLENGE" & "AUTH_RESPONSE") messages.

A function in AuthenticationService.java has been added to query the configured authentication providers to keep the support for multiple authentication providers.

Verifying this change

  • Make sure that the change passes the CI checks.

This change added tests and can be verified as follows:

  • Added unit test for the PulsarWebsocketDecoder to check if incomming messages get parsed correctly.
  • Added integration check to check if the connection is dropped after the expiration time in the access token has expired.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository: Topsector-Logistiek#2

@github-actions github-actions bot added the doc-required Your PR changes impact docs and you will update later. label Jul 25, 2025
@lhotari lhotari added this to the 4.1.0 milestone Jul 25, 2025
@lhotari lhotari requested a review from codelipenghui July 25, 2025 13:01
@huibertalblas
Copy link
Contributor Author

huibertalblas commented Jul 31, 2025

/pulsarbot run-failure-checks

@coderzc coderzc modified the milestones: 4.1.0, 4.2.0 Sep 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

At least 1 approving review is required to merge this pull request.

Assignees

@huibertalblas huibertalblas

Labels

doc-required Your PR changes impact docs and you will update later. ready-to-test

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@huibertalblas @lhotari @coderzc