Closed wolfman42 closed 3 months ago
erebe
commented
3 months ago What about reading the headers from a file ?
Like for example having a new flag --http-headers-file, that watch this file on disk and when its content change, it reloads the new headers from the file.
I am a bit reluctant to make a special case for the Authorization header. Let me know if that sound ok to you.
By the way, in which environment are you working in to have JWT expiring after 5min ? That's very short.
wolfman42
commented
3 months ago Yes, that'll work for me. Our environment is a bit security conscious. JWT access token can be refreshed for up to 24 hours using the refresh token, though. Then a full new login would be needed. Either way, a server call is necessary to get a new valid access token.
erebe
commented
3 months ago Just to be sure because I have a doubt now, you need to refresh the headers between your wstunnel client and wstunnel server ? Not between the client and a proxy ?
client ----------- token ---------> server client --- token ---> proxy ------------> server
wolfman42
commented
3 months ago Yes, between client ----------- token ---------> server
I have the wstunnel server deployed inside a Kubernetes cluster. The HTTP headers are checked by the ingress before the WebSocket connection is passed on to wstunnel server.
erebe
commented
3 months ago Should be good,
can you try https://github.com/erebe/wstunnel/releases/tag/v9.2.2 with the new flag --http-headers-file and let me know if it is ok for you
erebe
commented
3 months ago feel free to re-open if needed
wolfman42
commented
3 months ago Apologies. I got bogged down in other tasks at work. Will try it out soon.
Is your feature request related to a problem? Please describe. Using the
--http-headersparameter works great when I pass a fresh access token. However, JWT typically expire after a few minutes (5 minutes in my case). Currently I have to restart thewstunnel clientregularly which breaks existing connections.Describe the solution you'd like Therefore it would be great for wstunnel to support a callback that obtains a fresh token whenever it needs to make a new WebSocket connection (or reconnect). The callback could be a simple executable (or script) specified via the command line. A successful call to the access token callback should return the authorization header (or multiple headers) via StdOut.
Describe alternatives you've considered Restarting the wstunnel client. However, this breaks existing connections which leads to undesirable connection outages.