I have an ActiveMQ Artemis server and my applications are connecting via STOMP over WebSockets. Artemis is using Keycloak to validate credentials. I pass the token as part of the CONNECT frame.
Connections work just fine but, as soon as the token expires any interaction with the opened WebSocket (e.g. subscribe, unsubscribe, etc.) results in a client disconnection since the token is expired. That's expected.
What can I do to only validate the token at connection time? If connection succeeds, I don't want Artemis to validate the token any more. The connection should be legit once accepted at the beginning.
If that's not possible, since I have the renewed token on the web client, how can I notify Artemis so it internally updates this token?
As noted in the documentation, when a client connects and is authenticated by the broker the authentication result is cached. The same is true for any operation that must be authorized (e.g. creating a consumer, sending a message, etc.). As long as the broker's cache contains the required entries it won't matter if the token has expired. However, as cache entries expire the broker will have to reconnect to Keycloak to obtain the required auth once again. If the original token is still valid then everything will be fine, but if the token has expired then auth will fail. Therefore, you can configure the cache to help you avoid problems with expired tokens. Configuration details are noted in the documentation:
The size of the caches are controlled by the
authentication-cache-sizeandauthorization-cache-sizeconfiguration parameters. Both default to1000.How long cache entries are valid is controlled by
security-invalidation-interval, which is in milliseconds. Using0will disable caching. The default is10000ms.
That said, tokens expire for a reason. Caching tokens indefinitely, for example, would not be recommended as it would be insecure and would waste resources on the broker (i.e. memory for the cache).
Unfortunately the STOMP protocol has no support for reauthentication. You will simply have to reconnect once your token expires and the broker's cache entries are invalidated.