From bbe672b25f9dd15344126d66444b7b7ab0e995aa Mon Sep 17 00:00:00 2001 From: Stefano Ottolenghi Date: Mon, 28 Oct 2024 07:19:54 +0100 Subject: [PATCH 1/9] python --- .../modules/ROOT/pages/connect-advanced.adoc | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/python-manual/modules/ROOT/pages/connect-advanced.adoc b/python-manual/modules/ROOT/pages/connect-advanced.adoc index bd88b5a0..b0511011 100644 --- a/python-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/python-manual/modules/ROOT/pages/connect-advanced.adoc @@ -63,6 +63,52 @@ Use the function link:{neo4j-docs-base-uri}/api/python-driver/current/api.html#n If authentication is disabled on the server, the authentication parameter can be omitted entirely. +[role=label--new-5.14] +== Rotating authentication tokens + +It is possible to rotate authentication tokens that are expected to expire (e.g. SSO). +You need to provide a link:https://neo4j.com/docs/api/python-driver/current/api.html#neo4j.auth_management.AuthManager[`AuthManager`] instance (or link:https://neo4j.com/docs/api/python-driver/current/async_api.html#neo4j.auth_management.AsyncAuthManager[`AsyncAuthManager`] for the async driver) when instantiating the `Driver`, rather than a static authentication token. + +The easiest way to get started is to use link:https://neo4j.com/docs/api/python-driver/current/api.html#neo4j.auth_management.AuthManagers[one of built-in `AuthManager` implementations]. + +.Rotating a bearer token expiring every 60 seconds +[source, python, test-skip] +---- +import neo4j +from neo4j.auth_management import ( + AuthManagers, + ExpiringAuth, +) + + +def auth_provider(): + # some way to get a token + sso_token = get_sso_token() + # assume we know tokens expire every 60 seconds + expires_in = 60 + return ExpiringAuth( + auth=neo4j.bearer_auth(sso_token), + # Include a little buffer so that we fetch a new token + # *before* the old one expires + expires_in=expires_in - 10 + ) + + +with neo4j.GraphDatabase.driver( + URI, + auth=AuthManagers.expiration_based(auth_provider) +) as driver: + ... +---- + +[WARNING] +This API should not be used for switching users. +You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. + +[WARNING] +`AuthManagers` (including provider functions passed to `AuthManagers.expiration_based()`) must not interact with the driver in any way, as this can cause deadlocks and undefined behavior. + + == Custom address resolver When creating a `Driver` object, you can specify a _resolver_ function to resolve any addresses the driver receives ahead of DNS resolution. From 73f916cecc2efbf860c3921185279ea13690070d Mon Sep 17 00:00:00 2001 From: Stefano Ottolenghi Date: Mon, 28 Oct 2024 10:27:25 +0100 Subject: [PATCH 2/9] . --- python-manual/modules/ROOT/pages/connect-advanced.adoc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/python-manual/modules/ROOT/pages/connect-advanced.adoc b/python-manual/modules/ROOT/pages/connect-advanced.adoc index b0511011..3b883907 100644 --- a/python-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/python-manual/modules/ROOT/pages/connect-advanced.adoc @@ -88,8 +88,7 @@ def auth_provider(): expires_in = 60 return ExpiringAuth( auth=neo4j.bearer_auth(sso_token), - # Include a little buffer so that we fetch a new token - # *before* the old one expires + # Include a little buffer so that new token is fetched before the old one expires expires_in=expires_in - 10 ) @@ -102,7 +101,7 @@ with neo4j.GraphDatabase.driver( ---- [WARNING] -This API should not be used for switching users. +This API should not be used for switching users. Auth managers should always return tokens for the same identity. You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. [WARNING] From 982f5f03cc20bb4833025a475941ee253bc40c12 Mon Sep 17 00:00:00 2001 From: Stefano Ottolenghi Date: Mon, 28 Oct 2024 10:55:47 +0100 Subject: [PATCH 3/9] js --- .../modules/ROOT/pages/connect-advanced.adoc | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/javascript-manual/modules/ROOT/pages/connect-advanced.adoc b/javascript-manual/modules/ROOT/pages/connect-advanced.adoc index 26958417..0c9a3730 100644 --- a/javascript-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/javascript-manual/modules/ROOT/pages/connect-advanced.adoc @@ -65,6 +65,61 @@ const driver = neo4j.driver( If authentication is disabled on the server, the authentication parameter can be omitted entirely. +[role=label--new-5.14] +== Rotating authentication tokens + +It is possible to rotate authentication tokens that are expected to expire (e.g. SSO). +You need to provide a link:https://neo4j.com/docs/api/javascript-driver/current/class/lib6/auth-token-manager.js~AuthTokenManager.html[`AuthTokenManager`] instance when instantiating the `Driver`, rather than a static authentication token. + +The easiest way to get started is to use link:https://neo4j.com/docs/api/javascript-driver/current/class/lib6/auth-token-manager.js~AuthTokenManagers.html[one of built-in `AuthTokenManager` implementations]. + +.Rotating a bearer token expiring every 60 seconds +[source, javascript, test-skip] +---- +import neo4j, { AuthToken } from 'neo4j-driver' + +/** + * Method called whenever the driver needs to refresh the token. + * + * The refresh will happen if the driver is notified by the server + * of token expiration, or if `Date.now() > tokenData.expiry`. + * + * The driver will block creation of all connections until + * this function resolves the new auth token. + */ +async function generateAuthToken () { + const bearer = await getSSOToken() + const token = neo4j.auth.bearer(bearer) + + // assume we know tokens expire every 60 seconds + const expiresIn = 60 + // Include a little buffer so that new token is fetched before the old one expires + const expiration = expiresIn - 10 + + return { + token, + // if expiration is not provided, + // the driver will only fetch a new token when an auth failure happens + expiration + } +} + +const driver = neo4j.driver( + URI, + neo4j.expirationBasedAuthTokenManager({ + tokenProvider: generateAuthToken + }) +) +---- + +[WARNING] +This API should not be used for switching users. Auth managers should always return tokens for the same identity. +You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. + +[WARNING] +`AuthManagers` (including provider functions passed to `expirationBasedAuthTokenManager()`) must not interact with the driver in any way, as this can cause deadlocks and undefined behavior. + + == Custom address resolver When creating a `Driver` object, you can specify a _resolver_ function to resolve the connection address the driver is initialized with. From 53a3430a60f9d15dae4d1ee126e5f11a2dae3be8 Mon Sep 17 00:00:00 2001 From: Stefano Ottolenghi Date: Mon, 28 Oct 2024 11:06:50 +0100 Subject: [PATCH 4/9] java draft --- .../modules/ROOT/pages/connect-advanced.adoc | 53 +++++++++++++++++++ .../modules/ROOT/pages/connect-advanced.adoc | 4 +- 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/java-manual/modules/ROOT/pages/connect-advanced.adoc b/java-manual/modules/ROOT/pages/connect-advanced.adoc index 68864135..8923ea8a 100644 --- a/java-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/java-manual/modules/ROOT/pages/connect-advanced.adoc @@ -72,6 +72,59 @@ GraphDatabase.driver(dbUri, AuthTokens.custom(principal, credentials, realm, sch If authentication is disabled on the server, the authentication parameter can be omitted entirely. +[role=label--new-5.18] +== Rotating authentication tokens + +It is possible to rotate authentication tokens that are expected to expire (e.g. SSO). +You need to provide a link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokenManager.html[`AuthTokenManager`] instance when instantiating the `Driver`, rather than a static authentication token. + +The easiest way to get started is to use link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokenManagers.html[one of built-in `AuthTokenManager` implementations]. + +.Rotating a bearer token expiring every 60 seconds +[source, javascript, test-skip] +---- +/** + * Method called whenever the driver needs to refresh the token. + * + * The refresh will happen if the driver is notified by the server + * of token expiration, or if `Date.now() > tokenData.expiry`. + * + * The driver will block creation of all connections until + * this function resolves the new auth token. + */ +async function generateAuthToken () { + const bearer = await getSSOToken() // some way to get a token + const token = neo4j.auth.bearer(bearer) + + // assume we know tokens expire every 60 seconds + const expiresIn = 60 + // Include a little buffer so that new token is fetched before the old one expires + const expiration = expiresIn - 10 + + return { + token, + // if expiration is not provided, + // the driver will only fetch a new token when an auth failure happens + expiration + } +} + +const driver = neo4j.driver( + URI, + neo4j.expirationBasedAuthTokenManager({ + tokenProvider: generateAuthToken + }) +) +---- + +[WARNING] +This API should not be used for switching users. Auth managers should always return tokens for the same identity. +You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. + +[WARNING] +`AuthManagers` (including provider functions passed to `expirationBasedAuthTokenManager()`) must not interact with the driver in any way, as this can cause deadlocks and undefined behavior. + + == Logging By default, the driver logs `INFO` messages through the Java logging framework `java.util.logging`. diff --git a/javascript-manual/modules/ROOT/pages/connect-advanced.adoc b/javascript-manual/modules/ROOT/pages/connect-advanced.adoc index 0c9a3730..d33ea803 100644 --- a/javascript-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/javascript-manual/modules/ROOT/pages/connect-advanced.adoc @@ -88,7 +88,7 @@ import neo4j, { AuthToken } from 'neo4j-driver' * this function resolves the new auth token. */ async function generateAuthToken () { - const bearer = await getSSOToken() + const bearer = await getSSOToken() // some way to get a token const token = neo4j.auth.bearer(bearer) // assume we know tokens expire every 60 seconds @@ -106,7 +106,7 @@ async function generateAuthToken () { const driver = neo4j.driver( URI, - neo4j.expirationBasedAuthTokenManager({ + neo4j.authTokenManagers.bearer({ tokenProvider: generateAuthToken }) ) From 0fffb8551e8b167677a31e4411b5717404c18a42 Mon Sep 17 00:00:00 2001 From: Stefano Ottolenghi Date: Tue, 29 Oct 2024 06:05:43 +0100 Subject: [PATCH 5/9] go, java --- .../modules/ROOT/pages/connect-advanced.adoc | 37 ++++++++++++++ .../modules/ROOT/pages/connect-advanced.adoc | 49 +++++++------------ .../modules/ROOT/pages/connect-advanced.adoc | 2 +- .../modules/ROOT/pages/connect-advanced.adoc | 2 +- 4 files changed, 56 insertions(+), 34 deletions(-) diff --git a/go-manual/modules/ROOT/pages/connect-advanced.adoc b/go-manual/modules/ROOT/pages/connect-advanced.adoc index a12b3dcb..6b800585 100644 --- a/go-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/go-manual/modules/ROOT/pages/connect-advanced.adoc @@ -64,6 +64,43 @@ driver, err := neo4j.NewDriverWithContext(dbUri, neo4j.NoAuth()) ---- +[role=label--new-5.14] +== Rotating authentication tokens + +It is possible to rotate authentication tokens that are expected to expire (e.g. SSO). +You need to provide a link:https://pkg.go.dev/github.com/neo4j/neo4j-go-driver/v5/neo4j/auth#TokenManager[`TokenManager`] instance when instantiating the `Driver`, rather than a static authentication token. + +The easiest way to get started is to use one of built-in implementations: link:https://pkg.go.dev/github.com/neo4j/neo4j-go-driver/v5/neo4j/auth#BasicTokenManager[`BasicTokenManager`] and link:https://pkg.go.dev/github.com/neo4j/neo4j-go-driver/v5/neo4j/auth#BearerTokenManager[`BearerTokenManager`]. + +.Rotating a bearer token expiring every 60 seconds +[source, go, test-skip] +---- +fetchAuthTokenFromProvider := func(ctx context.Context) (neo4j.AuthToken, *time.Time, error) { + // some way of getting a token + token, err := getSsoToken(ctx) + if err != nil { + return neo4j.AuthToken{}, nil, err + } + // assume we know tokens expire every 60 seconds + expiresIn := time.Now().Add(60 * time.Second) + // include a little buffer so that we fetch a new token before the old one expires + expiresIn = expiresIn.Add(-10 * time.Second) + // or return nil instead of `&expiresIn` if we don't expect it to expire + return token, &expiresIn, nil +} + +// create a new driver with a bearer token manager +_, _ = neo4j.NewDriverWithContext(dbUri, auth.BearerTokenManager(fetchAuthTokenFromProvider)) +---- + +[NOTE] +This API should not be used for switching users. Auth managers should always return tokens for the same identity. +You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. + +[WARNING] +`TokenManager` implementations and providers must not interact with the driver in any way, as this can cause deadlocks and undefined behavior. + + == Custom address resolver When creating a `DriverWithContext` object, you can specify a _resolver_ function to resolve the connection address the driver is initialized with. diff --git a/java-manual/modules/ROOT/pages/connect-advanced.adoc b/java-manual/modules/ROOT/pages/connect-advanced.adoc index 8923ea8a..24967d21 100644 --- a/java-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/java-manual/modules/ROOT/pages/connect-advanced.adoc @@ -83,41 +83,26 @@ The easiest way to get started is to use link:https://neo4j.com/docs/api/java-dr .Rotating a bearer token expiring every 60 seconds [source, javascript, test-skip] ---- -/** - * Method called whenever the driver needs to refresh the token. - * - * The refresh will happen if the driver is notified by the server - * of token expiration, or if `Date.now() > tokenData.expiry`. - * - * The driver will block creation of all connections until - * this function resolves the new auth token. - */ -async function generateAuthToken () { - const bearer = await getSSOToken() // some way to get a token - const token = neo4j.auth.bearer(bearer) - - // assume we know tokens expire every 60 seconds - const expiresIn = 60 - // Include a little buffer so that new token is fetched before the old one expires - const expiration = expiresIn - 10 - - return { - token, - // if expiration is not provided, - // the driver will only fetch a new token when an auth failure happens - expiration - } -} +// import java.time.Clock; +// import java.util.concurrent.TimeUnit; +// import org.neo4j.driver.AuthTokenManagers; +// import org.neo4j.driver.GraphDatabase; + +var tokenManager = AuthTokenManagers.bearer(() -> { + var token = getToken(); // some way to get a token + + // assume we know tokens expire every 60 seconds + var expiresIn = TimeUnit.SECONDS.toMillis(60); + // Include a little buffer so that new token is fetched before the old one expires + var expiration = Clock.systemUTC().millis() + (expiresIn - TimeUnit.SECONDS.toMillis(10)); -const driver = neo4j.driver( - URI, - neo4j.expirationBasedAuthTokenManager({ - tokenProvider: generateAuthToken - }) -) + return token.expiringAt(expiration); +}); + +var driver = GraphDatabase.driver(dbUri, tokenManager); ---- -[WARNING] +[NOTE] This API should not be used for switching users. Auth managers should always return tokens for the same identity. You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. diff --git a/javascript-manual/modules/ROOT/pages/connect-advanced.adoc b/javascript-manual/modules/ROOT/pages/connect-advanced.adoc index d33ea803..bcbea81a 100644 --- a/javascript-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/javascript-manual/modules/ROOT/pages/connect-advanced.adoc @@ -112,7 +112,7 @@ const driver = neo4j.driver( ) ---- -[WARNING] +[NOTE] This API should not be used for switching users. Auth managers should always return tokens for the same identity. You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. diff --git a/python-manual/modules/ROOT/pages/connect-advanced.adoc b/python-manual/modules/ROOT/pages/connect-advanced.adoc index 3b883907..11d6d781 100644 --- a/python-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/python-manual/modules/ROOT/pages/connect-advanced.adoc @@ -100,7 +100,7 @@ with neo4j.GraphDatabase.driver( ... ---- -[WARNING] +[NOTE] This API should not be used for switching users. Auth managers should always return tokens for the same identity. You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. From 96db3994a911deb0e07b90e99eac3e7e3ed4dbe3 Mon Sep 17 00:00:00 2001 From: Stefano Ottolenghi Date: Wed, 30 Oct 2024 07:44:40 +0100 Subject: [PATCH 6/9] java full --- .../modules/ROOT/pages/connect-advanced.adoc | 28 ++++++++++++------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/java-manual/modules/ROOT/pages/connect-advanced.adoc b/java-manual/modules/ROOT/pages/connect-advanced.adoc index 24967d21..c117fae9 100644 --- a/java-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/java-manual/modules/ROOT/pages/connect-advanced.adoc @@ -81,25 +81,33 @@ You need to provide a link:https://neo4j.com/docs/api/java-driver/current/org.ne The easiest way to get started is to use link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokenManagers.html[one of built-in `AuthTokenManager` implementations]. .Rotating a bearer token expiring every 60 seconds -[source, javascript, test-skip] +[source, java, test-skip] ---- // import java.time.Clock; // import java.util.concurrent.TimeUnit; // import org.neo4j.driver.AuthTokenManagers; +// import org.neo4j.driver.AuthTokens; // import org.neo4j.driver.GraphDatabase; -var tokenManager = AuthTokenManagers.bearer(() -> { - var token = getToken(); // some way to get a token +void rotatingBearerDriver() { + var tokenManager = AuthTokenManagers.bearer(() -> { + var token = AuthTokens.bearer(getToken()); - // assume we know tokens expire every 60 seconds - var expiresIn = TimeUnit.SECONDS.toMillis(60); - // Include a little buffer so that new token is fetched before the old one expires - var expiration = Clock.systemUTC().millis() + (expiresIn - TimeUnit.SECONDS.toMillis(10)); + // assume we know tokens expire every 60 seconds + var expiresIn = TimeUnit.SECONDS.toMillis(60); + // Include a little buffer so that new token is fetched before the old one expires + var expiration = Clock.systemUTC().millis() + (expiresIn - TimeUnit.SECONDS.toMillis(10)); - return token.expiringAt(expiration); -}); + return token.expiringAt(expiration); + }); -var driver = GraphDatabase.driver(dbUri, tokenManager); + var driver = GraphDatabase.driver(dbUri, tokenManager); +} + +// some way to get a token +private String getToken() { + return "token-string"; +} ---- [NOTE] From cf49eefc8d3268eb8b8925bbcb00d4bc68e37142 Mon Sep 17 00:00:00 2001 From: Stefano Ottolenghi Date: Wed, 30 Oct 2024 07:48:45 +0100 Subject: [PATCH 7/9] java full --- java-manual/modules/ROOT/pages/connect-advanced.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/java-manual/modules/ROOT/pages/connect-advanced.adoc b/java-manual/modules/ROOT/pages/connect-advanced.adoc index c117fae9..5720a10d 100644 --- a/java-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/java-manual/modules/ROOT/pages/connect-advanced.adoc @@ -78,7 +78,7 @@ If authentication is disabled on the server, the authentication parameter can be It is possible to rotate authentication tokens that are expected to expire (e.g. SSO). You need to provide a link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokenManager.html[`AuthTokenManager`] instance when instantiating the `Driver`, rather than a static authentication token. -The easiest way to get started is to use link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokenManagers.html[one of built-in `AuthTokenManager` implementations]. +The easiest way to get started is to use link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokenManagers.html[one of built-in `AuthTokenManager` implementations]. AuthTokenManagers work with link:https://neo4j.com/docs/api/java-driver/5.26/org.neo4j.driver/org/neo4j/driver/AuthTokens.html[`AuthToken`] objects. .Rotating a bearer token expiring every 60 seconds [source, java, test-skip] @@ -93,7 +93,7 @@ void rotatingBearerDriver() { var tokenManager = AuthTokenManagers.bearer(() -> { var token = AuthTokens.bearer(getToken()); - // assume we know tokens expire every 60 seconds + // Assume we know tokens expire every 60 seconds var expiresIn = TimeUnit.SECONDS.toMillis(60); // Include a little buffer so that new token is fetched before the old one expires var expiration = Clock.systemUTC().millis() + (expiresIn - TimeUnit.SECONDS.toMillis(10)); @@ -104,7 +104,7 @@ void rotatingBearerDriver() { var driver = GraphDatabase.driver(dbUri, tokenManager); } -// some way to get a token +// Some way to get a token private String getToken() { return "token-string"; } @@ -115,7 +115,7 @@ This API should not be used for switching users. Auth managers should always ret You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. [WARNING] -`AuthManagers` (including provider functions passed to `expirationBasedAuthTokenManager()`) must not interact with the driver in any way, as this can cause deadlocks and undefined behavior. +`AuthTokenManager` objects must not interact with the driver in any way, as this can cause deadlocks and undefined behavior. == Logging From 927b34cb7bac4bb50f033a2b99ed82526f174903 Mon Sep 17 00:00:00 2001 From: Stefano Ottolenghi Date: Wed, 30 Oct 2024 07:52:17 +0100 Subject: [PATCH 8/9] Update connect-advanced.adoc --- java-manual/modules/ROOT/pages/connect-advanced.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java-manual/modules/ROOT/pages/connect-advanced.adoc b/java-manual/modules/ROOT/pages/connect-advanced.adoc index 5720a10d..ac5a8b32 100644 --- a/java-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/java-manual/modules/ROOT/pages/connect-advanced.adoc @@ -78,7 +78,7 @@ If authentication is disabled on the server, the authentication parameter can be It is possible to rotate authentication tokens that are expected to expire (e.g. SSO). You need to provide a link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokenManager.html[`AuthTokenManager`] instance when instantiating the `Driver`, rather than a static authentication token. -The easiest way to get started is to use link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokenManagers.html[one of built-in `AuthTokenManager` implementations]. AuthTokenManagers work with link:https://neo4j.com/docs/api/java-driver/5.26/org.neo4j.driver/org/neo4j/driver/AuthTokens.html[`AuthToken`] objects. +The easiest way to get started is to use link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokenManagers.html[one of built-in `AuthTokenManager` implementations]. AuthTokenManagers work with link:https://neo4j.com/docs/api/java-driver/current/org.neo4j.driver/org/neo4j/driver/AuthTokens.html[`AuthToken`] objects. .Rotating a bearer token expiring every 60 seconds [source, java, test-skip] From ff1a45afb5a3a205939cf8d9fd4c27bca3130ea8 Mon Sep 17 00:00:00 2001 From: Stefano Ottolenghi Date: Thu, 31 Oct 2024 08:35:30 +0100 Subject: [PATCH 9/9] fix --- .../modules/ROOT/pages/connect-advanced.adoc | 2 +- .../modules/ROOT/pages/connect-advanced.adoc | 2 +- .../modules/ROOT/pages/connect-advanced.adoc | 2 +- .../modules/ROOT/pages/connect-advanced.adoc | 15 +++++++-------- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/go-manual/modules/ROOT/pages/connect-advanced.adoc b/go-manual/modules/ROOT/pages/connect-advanced.adoc index 6b800585..12fcf00c 100644 --- a/go-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/go-manual/modules/ROOT/pages/connect-advanced.adoc @@ -94,7 +94,7 @@ _, _ = neo4j.NewDriverWithContext(dbUri, auth.BearerTokenManager(fetchAuthTokenF ---- [NOTE] -This API should not be used for switching users. Auth managers should always return tokens for the same identity. +This API must not be used for switching users. Auth managers must always return tokens for the same identity. You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. [WARNING] diff --git a/java-manual/modules/ROOT/pages/connect-advanced.adoc b/java-manual/modules/ROOT/pages/connect-advanced.adoc index ac5a8b32..75d79c4c 100644 --- a/java-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/java-manual/modules/ROOT/pages/connect-advanced.adoc @@ -111,7 +111,7 @@ private String getToken() { ---- [NOTE] -This API should not be used for switching users. Auth managers should always return tokens for the same identity. +This API must not be used for switching users. Auth managers must always return tokens for the same identity. You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. [WARNING] diff --git a/javascript-manual/modules/ROOT/pages/connect-advanced.adoc b/javascript-manual/modules/ROOT/pages/connect-advanced.adoc index bcbea81a..244de1ef 100644 --- a/javascript-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/javascript-manual/modules/ROOT/pages/connect-advanced.adoc @@ -113,7 +113,7 @@ const driver = neo4j.driver( ---- [NOTE] -This API should not be used for switching users. Auth managers should always return tokens for the same identity. +This API must not be used for switching users. Auth managers must always return tokens for the same identity. You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. [WARNING] diff --git a/python-manual/modules/ROOT/pages/connect-advanced.adoc b/python-manual/modules/ROOT/pages/connect-advanced.adoc index 11d6d781..ea052ecb 100644 --- a/python-manual/modules/ROOT/pages/connect-advanced.adoc +++ b/python-manual/modules/ROOT/pages/connect-advanced.adoc @@ -82,16 +82,15 @@ from neo4j.auth_management import ( def auth_provider(): - # some way to get a token + # Some way to get a token sso_token = get_sso_token() - # assume we know tokens expire every 60 seconds + # Assume we know tokens expire every 60 seconds expires_in = 60 - return ExpiringAuth( - auth=neo4j.bearer_auth(sso_token), - # Include a little buffer so that new token is fetched before the old one expires - expires_in=expires_in - 10 - ) + # Include a little buffer so that new token is fetched before the old one expires + expires_in -= 10 + auth = neo4j.bearer_auth(sso_token) + return ExpiringAuth(auth=auth).expires_in(expires_in) with neo4j.GraphDatabase.driver( URI, @@ -101,7 +100,7 @@ with neo4j.GraphDatabase.driver( ---- [NOTE] -This API should not be used for switching users. Auth managers should always return tokens for the same identity. +This API must not be used for switching users. Auth managers must always return tokens for the same identity. You can switch users at both xref:query-simple.adoc#impersonation[query level] and xref:transactions.adoc#impersonation[session level]. [WARNING]