-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[node] Using an authenticated session across multiple processes eg. Service + MQ Worker #2348
Comments
This library has not been designed for multiple processes being authenticated using the same session concurrently. In order for this to be successful, you'll have to be careful about how the |
I think each process still needs an instance of |
Re-hydrating the session from storage is actually based on the refresh token being present: the access token is short-lived, and it is a sensitive piece of data, so it isn't persisted in storage. This means re-hydrating the session necessarily refreshes the token (and rotates the refresh token). |
If each process has to use refresh-token (which results in it being rotated). I don't really see how the session could be used across multiple processes. At least not without some pesky locking. It sets the Access Token expiry to 1h and the Refresh token to 24h. Having an option that opts-in to store the Access Token in the storage would make it easier to share the session across processes. Only one process would be responsible for refreshing it, possibly using a scheduler. BTW we should be already talking about storing the ID Token as in the latest Solid-OIDC. We can already treat the Access Token as it was an ID Token for the sake of converstaion. |
That's absolutely true, we are planning on a big refactor of this library to stop relying on the Access Token being issued by the OpenID Provider. When we do it, the way things are stored will evolve to rely on the Credential Management API. |
@elf-pavlik in the meantime, if you want to go outside of in-memory storage, you'd need to implement this interface/file, but backed by some sort of database (e.g., redis) — keep in mind that you'll almost definitely want to encrypt whatever you store in there, as the data stored is equivalent to a password. But as @NSeydoux suggests, all this is planned for a major upheaval. |
Thank you @ThisIsMissEm. We do have simple redis backed implementation of I imagine that following approach could work in the future (with latest Solid-OIDC):
|
@elf-pavlik yeah, that'd make sense to me. That or have some sort of "refresh token lock", where by there's a race to the first worker to start the refresh, with an expiry in case it fails/crashes, and then perhaps go from there; But actually having a dedicated worker (not horizontally scalable, but potentially shard-able), which tries to semi-eagerly refresh the token such that the other workers all just grab the latest token & don't try refreshes. Or you could expire the access tokens in redis in accordance with the expiry information (I don't think the SDK exposes that at the moment, see: #2122 |
We are planning to add a message queue with a worker to https://github.com/janeirodigital/sai-impl-service/
It will handle things like subscribing to Solid Notifications - Webhook and other background jobs that will require an authenticated session.
I wanted to ask if we should expect any issues when the authenticated session gets used by more than one node process. I haven't dug into how refreshing of the tokens is being scheduled but I can imagine some potential issues if two processes would try refreshing tokens without coordinating it via storage. Especially when the refresh token is rotated.
Not sure how related it is to #308 but it might be 🤔
The text was updated successfully, but these errors were encountered: