1

I have an access token and a refresh token generated using my cf credentials. I want my app, which uses CF API, to run continuosly for a long time, so when the access token expires I will generate a new one using the refresh token. But as far as I understand a refresh token will also expire, so authorization session is limited. I could generate a new access token using my credentials but I don't want to store them neither in code files nor in environment variables. Can I do something about it?

Chris Gabler
  • 179
  • 1
  • 1
  • 14

2 Answers2

0

Check out CF-Space-Security. It let's you proxy through a process that is running next to your process and manages tokens.

poy
  • 10,063
  • 9
  • 49
  • 74
0

To make this work properly, you need a UAA Client. Rather than pass in your access/refresh tokens, you'd pass in a UAA client & secret. You would then perform a client credentials grant to obtain an access token using your UAA client & secret. This results in an access/refresh token that you can use to make requests to Cloud Controller.

You would typically send the UAA Client & Client Secret to your app via env variables or perhaps as a user provided service. You could use something else though (CredHub, Vault, etc..), if it's available in your environment.

If you're using Java, the cf-java-client will handle all this for you. Instead of creating a PasswordGrantTokenProvider in the example at the link below, you'd use ClientCredentialsGrantTokenProvider.

https://github.com/cloudfoundry/cf-java-client/tree/master#cloudfoundryclient-dopplerclient-uaaclient-builders

That said, you don't really need a special library. You can use whatever Oauth2 libraries are available in your programming language of choice, so long as it supports the client credentials grant type.

If you don't want to do this in code, @poy's answer is also good. It is enabling access by handling what I mentioned above in a proxy. So long as your requests go through the proxy they'll be annotated with an access token.

Please make sure you understand what the proxy is doing though before you deploy it & make sure you understand how to properly secure it. Anything with access to the proxy could send authorized requests, so you really need to make sure it's locked down properly.

Hope that helps!

Daniel Mikusa
  • 13,716
  • 1
  • 22
  • 28