Skip to content

[fix][proxy] Close client connection immediately when credentials expire and forwardAuthorizationCredentials is disabled #25179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nodece wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[fix][proxy] Close client connection immediately when credentials expire and forwardAuthorizationCredentials is disabled #25179

nodece wants to merge 3 commits into from
+216 −62

Conversation

@nodece
Copy link
Member

@nodece nodece commented Jan 23, 2026

Fixes #25071

Motivation

This pull request enhances the authentication credential refresh logic in the Pulsar Proxy and adds comprehensive tests to ensure correct behavior when client credentials expire, especially when authorization credentials are not forwarded to the broker. The changes improve reliability and correctness in handling authentication expiration and provide a robust test for the new logic.

Modifications

Proxy authentication refresh and expiration logic:

  • Refactored the authentication credential refresh logic in ProxyConnection.java by introducing the startAuthRefreshTaskIfNotStarted() helper, ensuring the refresh task is only scheduled when needed and in the correct states. The refresh logic now checks if the connection is in an authenticated state and properly handles cases where credentials expire and authorization credentials are not forwarded (forwardAuthorizationCredentials=false). [1] [2] [3] [4]

Test suite improvements:

  • Added a new test testClientDisconnectWhenCredentialsExpireWithoutForwardAuth in ProxyAuthenticationTest.java to verify that the client is disconnected when credentials expire and the proxy is not forwarding authorization credentials. The test uses Awaitility to assert proper disconnection behavior.
  • Updated and expanded the mock authentication provider and state in the test suite to simulate credential expiration and support the new authentication flow, including parsing and checking expiration within the mock state. [1] [2]

Minor test utility and import updates:

  • Added necessary imports and updated HTTP header handling in the test authentication data provider for improved correctness and clarity. [1] [2] [3]

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@nodece
[fix][proxy] Close client connection immediately when credentials exp…
72bd67e 
…ire and forwardAuthorizationCredentials is disabled
@nodece nodece requested a review from lhotari January 23, 2026 03:59
@github-actions github-actions bot added the doc-required Your PR changes impact docs and you will update later. label Jan 23, 2026
lhotari
lhotari approved these changes Jan 23, 2026
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lhotari
Copy link
Member

lhotari commented Jan 23, 2026

/pulsarbot rerun-failure-checks

@lhotari lhotari added this to the 4.2.0 milestone Jan 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lhotari lhotari lhotari approved these changes

Assignees

No one assigned

Labels

doc-required Your PR changes impact docs and you will update later.

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

Update logic behind AuthenticateOriginalAuthData to better support multiple authentication Providers

2 participants

@nodece @lhotari