feat(secrets): add token_broker source backed by iron-token-broker#143
Merged
Conversation
Adds a new secrets.Source type that fetches OAuth access tokens from a running iron-token-broker over HTTP. Configured per source by credential_id, with broker URL and bearer key read from IRON_BROKER_URL and IRON_BROKER_TOKEN. Validates that the broker-reported remaining lifetime exceeds the configured cache ttl so stale tokens are never served. Also fixes the broker HTTP server to explicitly net.Listen and log the resolved address, so :0 configs no longer log addr=":0" and integration tests can discover the bound port.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a
token_brokersecrets source so iron-proxy can pull OAuth access tokens from a runningiron-token-brokerover HTTP. Configure per source withcredential_id; broker URL and bearer key come fromIRON_BROKER_URLandIRON_BROKER_TOKEN. The fetch closure rejects responses whose remaining lifetime is not greater than the configured cachettlso stale tokens are never served.Incidental fix in the broker's HTTP server: explicit
net.Listenso the resolved address lands in the "broker HTTP API starting" log line (otherwise:0configs logaddr=":0").End-to-end coverage in
integration_test/token_broker_test.go: boots the real broker binary against an in-process fake OAuth provider, runs requests through the real proxy binary, asserts the upstream sees the broker-issued token and that a second request within the TTL does not trigger another OAuth refresh.