[jira] [Created] (CAMEL-20503) camel-http OAuth2 support for caching / refreshing tokens

Fri, 01 Mar 2024 02:44:03 -0800 

Joshua Grisham created CAMEL-20503:
--------------------------------------

             Summary: camel-http OAuth2 support for caching / refreshing tokens
                 Key: CAMEL-20503
                 URL: https://issues.apache.org/jira/browse/CAMEL-20503
             Project: Camel
          Issue Type: New Feature
          Components: camel-http
    Affects Versions: 4.4.0
            Reporter: Joshua Grisham


Currently the OAuth2 support in camel-http will retrieve a new token with every 
single HTTP Request

It is typically a more preferred pattern to actually cache the access tokens 
(per the same issuer, + for the same client_id + the same requested scopes) as 
fetching tokens can be an expensive operation, plus that access tokens can 
often have a relatively long expiration time which Camel could actually take 
advantage of.

Some examples:
 * Google's 
[OAuth2Credentials|https://cloud.google.com/java/docs/reference/google-auth-library/latest/com.google.auth.oauth2.OAuth2Credentials]
 class supports token caching and refresh (see: 
[https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java])
 * Spring Security's OAuth2 client also does this "under the covers" (though is 
a bit more complicated): 
[https://github.com/spring-projects/spring-security/tree/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client]

The assumption is that users might want to be able to configure the behavior of 
this somehow, so maybe it would be good to add some additional properties to 
control if a cache is used at all and/or how "early" tokens should be refreshed 
before their expiration time, if the token refresh mechanism should be used 
instead of just requesting a totally new access token from scratch, etc

It may also be worth to break this effort into smaller deliveries:
 * first to add a token cache and then request new tokens only when old ones 
are expired (depending on various config parameters)
 * second to add a refresh mechanism to actually use the OAuth2 Refresh flow 
instead of just fetching a totally new Access Token (with all appropriate 
checks that a refresh token was actually given by the token provider from the 
beginning etc...) see: 
[https://datatracker.ietf.org/doc/html/rfc6749#section-1.5] and 
[https://datatracker.ietf.org/doc/html/rfc6749#section-6]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to