Does VaultSharp manage token life cycle? I am using VaultSharp and see the token lease duration is set at 3,600 seconds. I ran some tests within that time using a singleton instance of the VaultClient object. Everything worked as expected. Only the first API call triggered a call to login and all subsequent calls went through. Once an hour passed, a call to encrypt just threw an exception with a permission denied error. VaultSharp did not make any attempts to renew the lease or authenticate to get a new token behind the scenes. I was previously using VaultAgent and token life cycle was managed via VaultAgent. I was hoping VaultSharp would eliminate the need to use VaultAgent.
VaultSharp doesn't do token lifecycle management, at this point in time.
Vault agent is a client side daemon that runs on its own. VaultSharp is intended to be integrated into an application programmatically.
You are correct on your initial observation. VaultSharp performs the login operation only once. After that the Vault token is used for ever.
At this point, the expectation is for the consumer of the library to record the lease expiration time, and renew the creds accordingly.
If you strongly wish for the lifecycle feature, please create a GH feature request and I'll triage it.
Related
I have an application, in which I have to fetch a list of users. The API to fetch the list requires an authentication token, which expires every 1 hour. So, in order to fetch the users, I first need to make a token call and post that I need to make the fetch call. How can I cache the token which is valid for 1 hour in Node? We have multiple pods, so I need a distributed cache to make sure that the token value is the same across the pods. Will it be possible to implement it in node and how to implement it? Any kind of resources/tutorials would be really helpful.
So you're calling an external service, but you need a valid token that you have to obtain first.
Take a look at how existing software tackles it. For example, Microsoft's Graph API SDK (which also uses bearer token auth):
https://github.com/microsoftgraph/msgraph-sdk-javascript/blob/dev/docs/CustomAuthenticationProvider.md
You inject an "authentication provider" that authenticates and retrieves a token from the remote service when necessary. Next, when you need to make a call to the API, the client checks if it has a token in-memory. If it doesn't (or if it's expired), it asks the authentication provider for a new token. So, the in-memory cache layer is in the client object.
Another approach is in-memory caching, but in the Authentication Provider layer - then, the client can blindly ask it for a token every time, and let the Provider decide whether to use the current token or ask for a new one.
I would refrain from putting the token on a network-accessible cache - it opens up a potential security hole for leaking the token, and does not seem to serve any purpose.
In order to access resources in Azure AD web applications we retrieve an authorization code using the following workflow:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
Now my questions is, does this retrieved code also have a specific lifetime (like tokens have) or will it never expire? I guess it won't expire but I need to be sure about that.
Yes, the authorization code has a lifetime of 10 minutes I think.
You use it to get the tokens you need and then throw it away.
You'll get refresh tokens so you can use them to get more tokens later.
ADAL.NET for example handles the token refresh for you, assuming you properly implement a token cache.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-id-and-access-tokens (scroll all the way down) (it's for the v2.0 endpoint, but codes are similarly short-lived in v1)
Authorization codes (work or school accounts)
10 minutes
Authorization codes are purposely short-lived, and should be immediately redeemed for access tokens and refresh tokens when the tokens are received.
how to do upwork authentication process triggered by azure function? currently its OAuth 1.0 process to get verifier, but how to achieve it without asking verifier each time.
you don't need to ask for a verifier every time, It's enough to authenticate a user once, receive an access token/secret pair, keep them in a safe place, and re-use to sign all next requests. It is mentioned here -
https://support.upwork.com/hc/en-us/articles/115015933448-API-Authentication-and-Security
Note that OAuth Request token expires in 600 sec. Once the Access
token is created it never expires.
Simply put, you don't need to go throw the authorization before every request. It's enough to complete it once for a particular user.
I am using MSAL for Azure AD authentication in a Xamarin app. The validity of the token is 1 day (seen using the value of ExpiresOn of AuthenticationResult).
My problem is that, after 1 hour, AcquireTokenSilentAsync fails and then AcquireToken needs to be called.
I am not able to understand that even though the token validity is 1 day, and the validity of refresh token is even more, why is it asking for authentication after every 1 hour ?
Can this be changed using any parameter value or any other way ?
Just to make a small clarification, MSAL doesn't actually issue tokens or decide a token expiration, but rather ingests an acquires token from the Azure AD STS.
MSAL will automatically refresh your access token after expiration when calling AcquireTokenSilentAsync. You're likely not getting automatic silent refreshes due to some kind of token cache miss. It's hard to say the specific issue without seeing your code, but i'll recommend comparing it against the official MSAL Xamarin code sample.
If you're building a Xamarin app, then it's a public client. The default token expirations right now are:
Access Tokens: 1 hour
Refresh Tokens: 90 days, 14 day inactive sliding window
Azure AD does allow you to configure these token expirations in PowerShell. You can define a token lifetime policy and then assign it to the specific Service Principal, across the tenant/organization, or on the application object. The other thing to keep in mind is if you're requesting a token for a specific resource, then the policy must be set on that resource rather than the requesting service principal or app. For more info on this, checkout configuring token lifetime in Azure AD.
There was an issue with the TokenCache due to which token was not stored properly and I was getting an exception. This has been resolved in the newer versions of Xamarin Android. Bug defined here
In my Node.js application I use OpenStack Swift (Object Storage) as a storage service. The app needs a authorization token to access the storage service, the (small) problem is the access token needs to be refreshed once in a couple of hours.
How should I do it to provide smooth experience to end client?
Refresh the token when expired in a reaction to OpenStack 401 response code.
Schedule the token refresh request manually via some sort of node scheduler or cron task.
The app relies heavy on access to storage service.
Using option 1 will effectively limit the access to app for my clients for a second.
This may seem nothing but if you multiply this by the number of clients its not so small.
If the application relies on some database/storage that requires authorization What is the industry standard for performing such server-to-server authorization requests?
For some reason obtaining token from OpenStack Keyrock takes a lot of time (~1s) that's why I'm asking.
NOTE: currently I'm not in a position to influence tokens lifetime.
Considering that you do not have the ability to change auth token lifetimes and are looking to hide the authorization refresh from users, it would seem only appropriate to go with your second option. Fortunately, timed asynchronous actions are easily implemented in Node.js.
It seems best to have this to have this update service rely on either the timeout threshold or expiration timing. Defining arbitrary timings doesn't seem optimal.