Support auth callback for auth callout with in-house JWT systems #714
Description
Proposed change
Please see PR: nats-io/nats.go#1713
and the backstory in this this issue: nats-io/nats.go#1694
In short, we are using the NATS 2.10+ Auth Callout feature; where we have our own IAM JWT tokens that expire every few minutes. The user obtains an IAM JWT, talks to nats using unused as the username but the JWT as the password, and the nats authCallout implementation verifies the IAM JWT from the password and eventually emits (after checking our in house permissions DB) a nats JWT, which has its own expiry schedule (ours currently is set to 24h).
However, when that nats JWT expires (every 24h) the connection is interrupted. In this case, we need to present an updated IAM JWT, as the old one is expired (every 5 minutes). The golang client added that callback that fetches a new username, password pair before reconnecting in that PR linked above. We would kindly request the same callback.
I believe the _user_credentials_callback should go here-ish:
Lines 306 to 309 in 109817f
And I believe you should call it right after this ish:
Lines 1490 to 1491 in 109817f
ish means I've scanned this code but do not have any deep expertise with this python lib.
Note: I originally tried to abuse the disconnected_cb in the golang client (the python client does have this) and just setting the equivelent ofself._user_credentials in that callback, but it wasnt thread safe; hence their addition of that CB. I did not investigate whether the python lib is thread safe, and maybe the disconnected_cb can be (ab)used for this.
Use case
Nats 2.10 auth callout.
Contribution
No response