How to update Basic Credentials at runtime?

[mrt181]

Basic credentials can be set using KSqlDbContextOptionsBuilder : ISetupParameters, afaik they end up in KSqlDBContext.ContextOptions.

These options are created using ICreateOptions.Options and can than be injected using DI.

I would like to be able to update the credentials.

When credentials are rotated the old ones become invalid. It's easy to fetch new ones for example from Key Vault but how would I set them into the context options so that they are used on any new request the ksql db client sends instead the ones that were set initially?

E.g. I would like to start a HostedService that checks key vault periodically for new credentials and then sets them into ksqldb context options. after setting them any new request should use the new credentials.

I would also have an HttpMessageHandler that fetches new credentials when the ksqldb client gets a 401 and rerties the request with the new credentials and then again sets them into ksqldb context options. after setting them any new request should use the new credentials.

I can successfully retry a request with fetched credentials already but have now way to set the new credentials into the context. Injecting KSqlDBContextOptions and setting them there is not durable that is whenever a new instance of KSqlDBContextOptions is injected its created with the values from the ContextBuilder.

[tomasfabian]

Hello @mrt181
if you register your KSqlDBContext using the AddDbContext function, it will internally register KSqlDBContextOptions as a singleton. This singleton instance is then injected into KSqlDBContext, ensuring that it uses the updated password.

Does this help?

using ksqlDb.RestApi.Client.DependencyInjection;
using ksqlDB.RestApi.Client.KSql.Query.Context;
using Microsoft.Extensions.DependencyInjection;

var services = new ServiceCollection();

var ksqlDbUrl = "http://localhost:8088";

services.AddDbContext<IKSqlDBContext, KSqlDBContext>(c =>
{
  var setupParams = c.UseKSqlDb(ksqlDbUrl);
  setupParams.SetBasicAuthCredentials("user", "secret");

  c.ReplaceHttpClient<ksqlDB.RestApi.Client.KSql.RestApi.Http.IHttpClientFactory, CustomHttpClientFactory>(_ => { })
    .AddHttpMessageHandler(_ => new DebugHandler());
});

var provider = services.BuildServiceProvider();

var dbContext = provider.GetRequiredService<IKSqlDBContext>();
var dbContextOptions = provider.GetRequiredService<KSqlDBContextOptions>();
dbContextOptions.SetBasicAuthCredentials("user", "secret2");

var dbContextOptions2 = provider.GetRequiredService<KSqlDBContextOptions>();
var dbContext2 = provider.GetRequiredService<IKSqlDBContext>();

if (dbContextOptions == dbContextOptions2)
  Console.WriteLine("dbContextOptions is a singleton");

[mrt181]

Yes, needed to create a scope using an injected IServiceProvider in the IHostedService.

But the ksqldbrestapiclient still does not set any authheader.

I am not setting creds in the contextbuilder at all, just set them in the options in the first hoste service that fetches creds from key vault.

UPDATE:

Ok, I think I understand the problem now.

To trigger the BasicAuthHandler, I have to provide username and password when configuring the ksqldbcontext.
That adds a BasicAuthHandler that uses the credentials that are provided during configuration but then never reads the context again to get the username and password.

[mrt181]

Resolved with version 7.1.0