@gerrit.meier
our password is stored in a vault that rotates every x days
is it possible to get a new connection with the new pw on every call? like something similar to DelegatingDataSource
Note: Read Edit 2 first!
Please don't re-create a driver instance (or let us do) before every call. Those creations are expensive and will affect the performance a lot.
But there is an experimental option in the Java driver since 5.8.
return GraphDatabase.driver("bolt://localhost:7687", AuthTokenManagers.expirationBased(() -> {
var token = getAuthTokenFromVault();
// some timestamp in the far future to trigger this method only on token rejection
var now = OffsetDateTime.now().plusYears(1).atZoneSameInstant(ZoneOffset.UTC);
return token.expiringAt(now.toInstant().toEpochMilli());
}));
The docs says regarding the invocation of the method:
- token's UTC timestamp is expired
- server rejects the current token (see
AuthTokenManager.onExpired(AuthToken))
Experimental means: It will probably stay but the API might change in the future based on feedback. There is a GitHub discussion page for this feature: AuthToken rotation and session auth support · neo4j/neo4j-java-driver · Discussion #1419 · GitHub
Edit: moved the question to general Driver because it is not only possible in Java but all official drivers (afaik). Also it is just minimal related to Spring Data since it can be solved with the existing driver API.
Edit 2: I figured out that the exception-based refresh of the token does not yet work as (I) expected. You would still need to provide the correct expiry timestamp. Maybe this is something you also retrieve from Vault.