dashboardjavacloudcoapiotiot-analyticsiot-platformiot-solutionskafkalwm2mmicroservicesmiddlewaremqttnettyplatformsnmpthingsboardvisualizationwebsocketswidgets
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
171 lines
7.7 KiB
171 lines
7.7 KiB
///
|
|
/// Copyright © 2016-2026 The Thingsboard Authors
|
|
///
|
|
/// Licensed under the Apache License, Version 2.0 (the "License");
|
|
/// you may not use this file except in compliance with the License.
|
|
/// You may obtain a copy of the License at
|
|
///
|
|
/// http://www.apache.org/licenses/LICENSE-2.0
|
|
///
|
|
/// Unless required by applicable law or agreed to in writing, software
|
|
/// distributed under the License is distributed on an "AS IS" BASIS,
|
|
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
/// See the License for the specific language governing permissions and
|
|
/// limitations under the License.
|
|
///
|
|
|
|
import { AccessToken, ClientCredentials } from 'simple-oauth2';
|
|
import { _logger } from '../config/logger';
|
|
|
|
interface OauthBearerProviderOptions {
|
|
clientId: string;
|
|
clientSecret: string;
|
|
endpointUrl: string;
|
|
refreshThresholdMs: number;
|
|
// Optional OAuth2 scope. Required by some IdPs for client-credentials (e.g. Azure AD's "api://<id>/.default").
|
|
scope?: string;
|
|
}
|
|
|
|
const RETRY_DELAY_MS = 5000;
|
|
const MIN_REFRESH_DELAY_MS = 1000;
|
|
// Safety margin applied at serve time: if the cached token is within this window of (or past) its
|
|
// hard expiry, fetch synchronously instead of serving it. Covers a scheduled refresh that slipped
|
|
// because the unref()'d timer was starved or the process was suspended. Also absorbs minor clock skew.
|
|
const EXPIRY_SAFETY_MS = 5000;
|
|
|
|
export const oauthBearerProvider = (options: OauthBearerProviderOptions) => {
|
|
const logger = _logger('oauthBearerProvider');
|
|
if (!options.clientId || !options.clientSecret || !options.endpointUrl) {
|
|
throw new Error('Kafka OAUTHBEARER requires kafka.confluent.oauth.client_id, client_secret and endpoint_url to be set');
|
|
}
|
|
if (!/^https:\/\//i.test(options.endpointUrl)) {
|
|
logger.warn('Kafka OAuth token endpoint URL is not HTTPS (%s); client credentials will be sent unencrypted', options.endpointUrl);
|
|
}
|
|
const refreshThresholdMs = Number(options.refreshThresholdMs);
|
|
if (!Number.isFinite(refreshThresholdMs) || refreshThresholdMs < 0) {
|
|
throw new Error(`Kafka OAuth refresh_threshold must be a non-negative number, got: ${options.refreshThresholdMs}`);
|
|
}
|
|
const scope = options.scope && options.scope.trim().length > 0 ? options.scope.trim() : undefined;
|
|
let tokenUrl: URL;
|
|
try {
|
|
tokenUrl = new URL(options.endpointUrl);
|
|
} catch {
|
|
throw new Error(`Kafka OAuth endpoint_url is not a valid URL: ${options.endpointUrl}`);
|
|
}
|
|
const client = new ClientCredentials({
|
|
client: {
|
|
id: options.clientId,
|
|
secret: options.clientSecret
|
|
},
|
|
auth: {
|
|
// endpoint_url is the full token endpoint URL. Split it into host + path so
|
|
// simple-oauth2 does not append its default tokenPath (/oauth/token) and
|
|
// discard the real path (breaks Keycloak, Azure AD, Okta, etc.).
|
|
tokenHost: tokenUrl.origin,
|
|
tokenPath: tokenUrl.pathname + tokenUrl.search
|
|
}
|
|
});
|
|
|
|
// Last successfully fetched token. Kept across refreshes so a failed background refresh
|
|
// does not drop a still-valid token out from under KafkaJS (which calls this provider on
|
|
// each reauthentication). It is only swapped in after a successful refresh.
|
|
let cachedToken: string | undefined;
|
|
// Epoch ms at which cachedToken hard-expires (access_token lifetime from the IdP). 0 until the
|
|
// first successful fetch. Used to decide at serve time whether the cached token is still safe.
|
|
let cachedTokenExpiresAt = 0;
|
|
// In-flight token fetch, shared so a serve-triggered refresh and the scheduled timer (and
|
|
// concurrent KafkaJS callbacks) coalesce onto one request instead of stampeding the IdP.
|
|
let refreshInFlight: Promise<string> | undefined;
|
|
let refreshTimer: NodeJS.Timeout | undefined;
|
|
let warnedShortLivedToken = false;
|
|
|
|
function scheduleRefresh(delayMs: number): void {
|
|
if (refreshTimer) {
|
|
clearTimeout(refreshTimer);
|
|
}
|
|
const delay = Math.max(delayMs, MIN_REFRESH_DELAY_MS);
|
|
logger.info('Next Kafka OAuth token refresh in %dms', delay);
|
|
refreshTimer = setTimeout(() => {
|
|
// refreshTokenOnce() updates cachedToken on success and reschedules its own retry on failure;
|
|
// swallow here so a failed background refresh is not an unhandled rejection.
|
|
refreshTokenOnce().catch((err) => {
|
|
logger.error('Scheduled Kafka OAuth token refresh failed: %s', err?.message ?? err);
|
|
});
|
|
}, delay);
|
|
refreshTimer.unref();
|
|
}
|
|
|
|
// Coalesce concurrent refreshes (scheduled timer, serve-time fallback, parallel KafkaJS callbacks)
|
|
// onto a single in-flight request so a near-expiry burst cannot stampede the token endpoint.
|
|
function refreshTokenOnce(): Promise<string> {
|
|
if (!refreshInFlight) {
|
|
refreshInFlight = refreshToken().finally(() => {
|
|
refreshInFlight = undefined;
|
|
});
|
|
}
|
|
return refreshInFlight;
|
|
}
|
|
|
|
async function refreshToken(): Promise<string> {
|
|
logger.info('Requesting Kafka OAuth bearer token');
|
|
try {
|
|
// Client-credentials grant issues no refresh_token, so always request a fresh token.
|
|
const accessToken: AccessToken = await client.getToken(scope ? { scope } : {});
|
|
|
|
// Some IdPs return expires_in as a numeric string ("3600"); coerce before validating.
|
|
const rawExpiresIn = accessToken.token.expires_in;
|
|
const expiresIn = Number(rawExpiresIn);
|
|
if (!Number.isFinite(expiresIn) || expiresIn <= 0) {
|
|
throw new Error(`OAuth token response has invalid "expires_in": ${rawExpiresIn}`);
|
|
}
|
|
const accessTokenValue = accessToken.token.access_token;
|
|
if (typeof accessTokenValue !== 'string' || accessTokenValue.length === 0) {
|
|
throw new Error('OAuth token response has no "access_token"');
|
|
}
|
|
|
|
const lifetimeMs = expiresIn * 1000;
|
|
cachedToken = accessTokenValue;
|
|
cachedTokenExpiresAt = Date.now() + lifetimeMs;
|
|
|
|
// If the token lifetime is shorter than the refresh threshold, refreshing "threshold
|
|
// before expiry" would fire immediately and clamp to MIN_REFRESH_DELAY_MS, hammering the
|
|
// token endpoint every second. Cap the effective threshold to half the lifetime instead.
|
|
let effectiveThresholdMs = refreshThresholdMs;
|
|
if (refreshThresholdMs >= lifetimeMs) {
|
|
effectiveThresholdMs = lifetimeMs / 2;
|
|
if (!warnedShortLivedToken) {
|
|
logger.warn('Kafka OAuth token lifetime (%dms) is <= refresh threshold (%dms); capping threshold to %dms to avoid hammering the token endpoint',
|
|
lifetimeMs, refreshThresholdMs, effectiveThresholdMs);
|
|
warnedShortLivedToken = true;
|
|
}
|
|
}
|
|
|
|
const nextRefresh = lifetimeMs - effectiveThresholdMs;
|
|
scheduleRefresh(nextRefresh);
|
|
return accessTokenValue;
|
|
} catch (err) {
|
|
logger.error('Failed to obtain Kafka OAuth bearer token, retrying in %dms', RETRY_DELAY_MS);
|
|
scheduleRefresh(RETRY_DELAY_MS);
|
|
throw err;
|
|
}
|
|
}
|
|
|
|
// Kick off the initial fetch eagerly so the first authentication is fast.
|
|
// The first fetch is retried internally; swallow here, so a startup failure is not an unhandled rejection.
|
|
refreshTokenOnce().catch(() => { /* retry already scheduled in refreshToken() */ });
|
|
|
|
return async function () {
|
|
// Serve the cached token while it is comfortably valid; the background timer rotates it
|
|
// proactively. If there is no token yet, or the cached one is within EXPIRY_SAFETY_MS of its
|
|
// hard expiry (a scheduled refresh slipped), fetch synchronously so KafkaJS never reauthenticates
|
|
// with an expired token. Concurrent callers coalesce onto the same request via refreshTokenOnce().
|
|
if (!cachedToken || Date.now() >= cachedTokenExpiresAt - EXPIRY_SAFETY_MS) {
|
|
return {
|
|
value: await refreshTokenOnce()
|
|
};
|
|
}
|
|
return {
|
|
value: cachedToken
|
|
};
|
|
};
|
|
};
|
|
|