-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
callout: try to renew jwt when expire #4814
base: main
Are you sure you want to change the base?
Conversation
28b2105
to
5985098
Compare
@@ -289,7 +289,7 @@ func (s *Server) processClientOrLeafCallout(c *client, opts *Options) (authorize | |||
} | |||
|
|||
// Check if we need to set an auth timer if the user jwt expires. | |||
c.setExpiration(arc.Claims(), expiration) | |||
c.setRenewal(arc.Claims(), expiration) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should have a buffer imo. So if expiration is say 30mins, we should ask for a renewal at some point before 30mins in case auth callout service is slow to respond. So some percentage, say 10-15% (so for 30mins would be 3mins, so timer would be 27m not 30m). We should also set a max offset for smaller ttls.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to retry for slow responds?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not believe so, at least to start. Just have the buffer so we are not cutting things too close.
5985098
to
98df5fc
Compare
Any updates here or are we good for final review? |
Sorry, we have moved to another solution and forgotten about it. I am going to update the PR tomorrow |
When a jwt with expiration expires, we are going to request request a new one or disconnect the client.
Signed-off-by: Ramon Berrutti [email protected]