[jira] [Updated] (CAMEL-20503) camel-http OAuth2 support for caching / refreshing tokens

[Joshua Grisham (Jira)]

     [ 
https://issues.apache.org/jira/browse/CAMEL-20503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Joshua Grisham updated CAMEL-20503:
-----------------------------------
    Priority: Minor  (was: Major)

> camel-http OAuth2 support for caching / refreshing tokens
> ---------------------------------------------------------
>
>                 Key: CAMEL-20503
>                 URL: https://issues.apache.org/jira/browse/CAMEL-20503
>             Project: Camel
>          Issue Type: New Feature
>          Components: camel-http
>    Affects Versions: 4.4.0
>            Reporter: Joshua Grisham
>            Priority: Minor
>
> Currently the OAuth2 support in camel-http will retrieve a new token with 
> every single HTTP Request
> It is typically a more preferred pattern to actually cache the access tokens 
> (per the same issuer, + for the same client_id + the same requested scopes) 
> as fetching tokens can be an expensive operation, plus that access tokens can 
> often have a relatively long expiration time which Camel could actually take 
> advantage of.
> Some examples:
>  * Google's 
> [OAuth2Credentials|https://cloud.google.com/java/docs/reference/google-auth-library/latest/com.google.auth.oauth2.OAuth2Credentials]
>  class supports token caching and refresh (see: 
> [https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java])
>  * Spring Security's OAuth2 client also does this "under the covers" (though 
> is a bit more complicated): 
> [https://github.com/spring-projects/spring-security/tree/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client]
> The assumption is that users might want to be able to configure the behavior 
> of this somehow, so maybe it would be good to add some additional properties 
> to control if a cache is used at all and/or how "early" tokens should be 
> refreshed before their expiration time, if the token refresh mechanism should 
> be used instead of just requesting a totally new access token from scratch, 
> etc
> It may also be worth to break this effort into smaller deliveries:
>  * first to add a token cache and then request new tokens only when old ones 
> are expired (depending on various config parameters)
>  * second to add a refresh mechanism to actually use the OAuth2 Refresh flow 
> instead of just fetching a totally new Access Token (with all appropriate 
> checks that a refresh token was actually given by the token provider from the 
> beginning etc...) see: 
> [https://datatracker.ietf.org/doc/html/rfc6749#section-1.5] and 
> [https://datatracker.ietf.org/doc/html/rfc6749#section-6]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)