Refresh authentication token and leases related to it after expire of authentication token

[krispanalov]

Authentication token has its own ttl that can expire. When token expires all related credentials will be revoked too but we don't see events of that in the library and thus application continues to work with revoked credentials i.e. all requests to db fail.

Our current setup:

1. Configure credentials that expire each 2 h(for example)
2. Configure token to expire in 3 h (default is 32 days that can still be reached).
3. We have implemented rotating lease listener and register it to SecretLeaseContainer. When credential's lease expire we request rotating secret and when we get event with new secrets we swap them. So each few minutes renew is triggered by lib and each 2h we trigger rotate and swapping the datasource credentials when we get the new one.
4. Now we faced new issue when token expires all related to it credentials are revoked. There is no event in lib because I believe that lib is using ttl and expire date from credentials lease which was supposed to be still valid but vault revoked them. So until the ttl of credential expire we have credentials that are revoked and not working but in same way no mechanism for rotating them is triggered.
5. I tried to listen for events from AuthenticationEventPublisher and I can act when token expires but I'm not sure how to force reauthenticate and refetching all leases. Tried to invoke stop()/start() but I think it doesn't trigger fetching new credentials just starts the schedulers that still use old credential ttl.

Idea: When auth token expires lib can automatically expire all related ttls and raise usual events for credentials expire etc. Or if it doesn't fit all cases for generic lib at least can provide mechanism for refresh of all leases. Vault allows to check current leases so it could firstly request the data from vault, vault will return that credentials are not valid anymore and then continue old flow of Credentials expired event.

PS. I know that this can be fixed by making token leave forever but the entire idea of rotating it is to not have infinite tokens and we already hit this issue with default 32days so even if we increase at some point we can reach that period again ( of course if it's not infinite)

Thanks

[mp911de]

Thanks for reaching out. Your scenario sounds pretty much as it was resolved via #815.

Upon login token expiry, all lease-associated secrets are being re-requested. Can you check whether Spring Vault 3.1.0 (or better the snapshots) address your scenario?

[krispanalov]

@mp911de thanks for the quick reply. Indeed it looks like same issue. I can't verify it quickly as I'll need to upgrade few other dependencies but looking at the PR it should solve my issue. 🙏 I think you can close the use as solved/duplicate.

[mp911de]

Closing as duplicate of #815.