SNOW-1825482: PAT + OAuth Authorization Code + OAuth Client Credentials support

FIPS/scripts/check_content.sh

@@ -6,7 +6,7 @@ set -o pipefail
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 
-if jar tvf $DIR/../target/snowflake-jdbc-fips.jar  | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
+if jar tvf $DIR/../target/snowflake-jdbc-fips.jar  | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^iso3166_" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
   echo "[ERROR] JDBC jar includes class not under the snowflake namespace"
   exit 1
 fi

ci/scripts/check_content.sh

@@ -8,7 +8,7 @@ set -o pipefail
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 
-if jar tvf $DIR/../../target/snowflake-jdbc${package_modifier}.jar | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
+if jar tvf snowflake-jdbc.jar | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^iso3166_" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
   echo "[ERROR] JDBC jar includes class not under the snowflake namespace"
   exit 1
 fi

parent-pom.xml

@@ -21,7 +21,7 @@
     <apache.httpcore.version>4.4.16</apache.httpcore.version>
     <zstd-jni.version>1.5.6-5</zstd-jni.version>
     <arrow.version>17.0.0</arrow.version>
-    <asm.version>9.3</asm.version>
+    <asm.version>9.6</asm.version>
     <avro.version>1.8.1</avro.version>
     <awaitility.version>4.2.0</awaitility.version>
     <awssdk.version>1.12.655</awssdk.version>
@@ -60,7 +60,7 @@
     <javax.servlet.version>3.1.0</javax.servlet.version>
     <jna.version>5.13.0</jna.version>
     <joda.time.version>2.8.1</joda.time.version>
-    <json.smart.version>2.4.9</json.smart.version>
+    <json.smart.version>2.5.1</json.smart.version>
     <junit4.version>4.13.2</junit4.version>
     <junit.version>5.11.1</junit.version>
     <junit.platform.version>1.11.1</junit.platform.version>
@@ -69,7 +69,8 @@
     <metrics.version>2.2.0</metrics.version>
     <mockito.version>4.11.0</mockito.version>
     <netty.version>4.1.115.Final</netty.version>
-    <nimbusds.version>9.37.3</nimbusds.version>
+    <nimbusds.version>9.40</nimbusds.version>
+    <nimbusds.oauth2.version>11.20.1</nimbusds.oauth2.version>
     <opencensus.version>0.31.1</opencensus.version>
     <plexus.container.version>1.0-alpha-9-stable-1</plexus.container.version>
     <plexus.utils.version>3.4.2</plexus.utils.version>
@@ -218,6 +219,11 @@
         <artifactId>nimbus-jose-jwt</artifactId>
         <version>${nimbusds.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.nimbusds</groupId>
+        <artifactId>oauth2-oidc-sdk</artifactId>
+        <version>${nimbusds.oauth2.version}</version>
+      </dependency>
       <dependency>
         <groupId>com.yammer.metrics</groupId>
         <artifactId>metrics-core</artifactId>
@@ -645,6 +651,10 @@
       <groupId>com.nimbusds</groupId>
       <artifactId>nimbus-jose-jwt</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>oauth2-oidc-sdk</artifactId>
+    </dependency>
     <dependency>
       <groupId>com.yammer.metrics</groupId>
       <artifactId>metrics-core</artifactId>

src/main/java/net/snowflake/client/core/SFLoginInput.java

@@ -54,12 +54,20 @@ public class SFLoginInput {
   private boolean enableClientStoreTemporaryCredential;
   private boolean enableClientRequestMfaToken;
 
+  // OAuth
+  private String redirectUri;
+  private String clientId;
+  private String clientSecret;
+  private String externalAuthorizationUrl;
+  private String externalTokenRequestUrl;
+  private String scope;
+
   private Duration browserResponseTimeout;
 
   // Additional headers to add for Snowsight.
   Map<String, String> additionalHttpHeadersForSnowsight;
 
-  SFLoginInput() {}
+  public SFLoginInput() {}
 
   Duration getBrowserResponseTimeout() {
     return browserResponseTimeout;
@@ -74,7 +82,7 @@ public String getServerUrl() {
     return serverUrl;
   }
 
-  SFLoginInput setServerUrl(String serverUrl) {
+  public SFLoginInput setServerUrl(String serverUrl) {
     this.serverUrl = serverUrl;
     return this;
   }
@@ -160,7 +168,7 @@ public SFLoginInput setAccountName(String accountName) {
     return this;
   }
 
-  int getLoginTimeout() {
+  public int getLoginTimeout() {
     return loginTimeout;
   }
 
@@ -184,7 +192,7 @@ SFLoginInput setRetryTimeout(int retryTimeout) {
     return this;
   }
 
-  int getAuthTimeout() {
+  public int getAuthTimeout() {
     return authTimeout;
   }
 
@@ -238,11 +246,11 @@ SFLoginInput setConnectionTimeout(Duration connectionTimeout) {
     return this;
   }
 
-  int getSocketTimeoutInMillis() {
+  public int getSocketTimeoutInMillis() {
     return (int) socketTimeout.toMillis();
   }
 
-  SFLoginInput setSocketTimeout(Duration socketTimeout) {
+  public SFLoginInput setSocketTimeout(Duration socketTimeout) {
     this.socketTimeout = socketTimeout;
     return this;
   }
@@ -388,11 +396,11 @@ SFLoginInput setOCSPMode(OCSPMode ocspMode) {
     return this;
   }
 
-  HttpClientSettingsKey getHttpClientSettingsKey() {
+  public HttpClientSettingsKey getHttpClientSettingsKey() {
     return httpClientKey;
   }
 
-  SFLoginInput setHttpClientSettingsKey(HttpClientSettingsKey key) {
+  public SFLoginInput setHttpClientSettingsKey(HttpClientSettingsKey key) {
     this.httpClientKey = key;
     return this;
   }
@@ -417,6 +425,60 @@ SFLoginInput setDisableSamlURLCheck(boolean disableSamlURLCheck) {
     return this;
   }
 
+  public String getRedirectUri() {
+    return redirectUri;
+  }
+
+  public SFLoginInput setRedirectUri(String redirectUri) {
+    this.redirectUri = redirectUri;
+    return this;
+  }
+
+  public String getClientId() {
+    return clientId;
+  }
+
+  public SFLoginInput setClientId(String clientId) {
+    this.clientId = clientId;
+    return this;
+  }
+
+  public String getClientSecret() {
+    return clientSecret;
+  }
+
+  public SFLoginInput setClientSecret(String clientSecret) {
+    this.clientSecret = clientSecret;
+    return this;
+  }
+
+  public String getExternalAuthorizationUrl() {
+    return externalAuthorizationUrl;
+  }
+
+  public SFLoginInput setExternalAuthorizationUrl(String externalAuthorizationUrl) {
+    this.externalAuthorizationUrl = externalAuthorizationUrl;
+    return this;
+  }
+
+  public String getExternalTokenRequestUrl() {
+    return externalTokenRequestUrl;
+  }
+
+  public SFLoginInput setExternalTokenRequestUrl(String externalTokenRequestUrl) {
+    this.externalTokenRequestUrl = externalTokenRequestUrl;
+    return this;
+  }
+
+  public String getScope() {
+    return scope;
+  }
+
+  public SFLoginInput setScope(String scope) {
+    this.scope = scope;
+    return this;
+  }
+
   Map<String, String> getAdditionalHttpHeadersForSnowsight() {
     return additionalHttpHeadersForSnowsight;
   }

src/main/java/net/snowflake/client/core/SFSession.java

@@ -677,6 +677,14 @@ public synchronized void open() throws SFException, SnowflakeSQLException {
         .setSessionParameters(sessionParametersMap)
         .setPrivateKey((PrivateKey) connectionPropertiesMap.get(SFSessionProperty.PRIVATE_KEY))
         .setPrivateKeyFile((String) connectionPropertiesMap.get(SFSessionProperty.PRIVATE_KEY_FILE))
+        .setClientId((String) connectionPropertiesMap.get(SFSessionProperty.CLIENT_ID))
+        .setClientSecret((String) connectionPropertiesMap.get(SFSessionProperty.CLIENT_SECRET))
+        .setRedirectUri((String) connectionPropertiesMap.get(SFSessionProperty.OAUTH_REDIRECT_URI))
+        .setScope((String) connectionPropertiesMap.get(SFSessionProperty.OAUTH_SCOPE))
+        .setExternalAuthorizationUrl(
+            (String) connectionPropertiesMap.get(SFSessionProperty.EXTERNAL_AUTHORIZATION_URL))
+        .setExternalTokenRequestUrl(
+            (String) connectionPropertiesMap.get(SFSessionProperty.EXTERNAL_TOKEN_REQUEST_URL))
         .setPrivateKeyBase64(
             (String) connectionPropertiesMap.get(SFSessionProperty.PRIVATE_KEY_BASE64))
         .setPrivateKeyPwd(

src/main/java/net/snowflake/client/core/SFSessionProperty.java

@@ -29,6 +29,12 @@ public enum SFSessionProperty {
   AUTHENTICATOR("authenticator", false, String.class),
   OKTA_USERNAME("oktausername", false, String.class),
   PRIVATE_KEY("privateKey", false, PrivateKey.class),
+  OAUTH_REDIRECT_URI("redirectUri", false, String.class),
+  CLIENT_ID("clientID", false, String.class),
+  CLIENT_SECRET("clientSecret", false, String.class),
+  OAUTH_SCOPE("scope", false, String.class),
+  EXTERNAL_AUTHORIZATION_URL("externalAuthorizationUrl", false, String.class),
+  EXTERNAL_TOKEN_REQUEST_URL("externalTokenRequestUrl", false, String.class),
   WAREHOUSE("warehouse", false, String.class),
   LOGIN_TIMEOUT("loginTimeout", false, Integer.class),
   NETWORK_TIMEOUT("networkTimeout", false, Integer.class),

src/main/java/net/snowflake/client/core/SessionUtil.java

@@ -28,6 +28,8 @@
 import net.snowflake.client.core.auth.AuthenticatorType;
 import net.snowflake.client.core.auth.ClientAuthnDTO;
 import net.snowflake.client.core.auth.ClientAuthnParameter;
+import net.snowflake.client.core.auth.oauth.AuthorizationCodeFlowAccessTokenProvider;
+import net.snowflake.client.core.auth.oauth.OauthAccessTokenProvider;
 import net.snowflake.client.jdbc.ErrorCode;
 import net.snowflake.client.jdbc.SnowflakeDriver;
 import net.snowflake.client.jdbc.SnowflakeReauthenticationRequest;
@@ -138,6 +140,8 @@ public class SessionUtil {
   public static int DEFAULT_CLIENT_PREFETCH_THREADS = 4;
   public static int MIN_CLIENT_CHUNK_SIZE = 48;
   public static int MAX_CLIENT_CHUNK_SIZE = 160;
+  private static final int DEFAULT_BROWSER_AUTHORIZATION_TIMEOUT_SECONDS = 180;
+
   public static Map<String, String> JVM_PARAMS_TO_PARAMS =
       Stream.of(
               new String[][] {
@@ -217,8 +221,13 @@ private static AuthenticatorType getAuthenticator(SFLoginInput loginInput) {
           .equalsIgnoreCase(AuthenticatorType.EXTERNALBROWSER.name())) {
         // SAML 2.0 compliant service/application
         return AuthenticatorType.EXTERNALBROWSER;
+      } else if (loginInput
+          .getAuthenticator()
+          .equalsIgnoreCase(AuthenticatorType.OAUTH_AUTHORIZATION_CODE.name())) {
+        // OAuth authorization code flow authentication
+        return AuthenticatorType.OAUTH_AUTHORIZATION_CODE;
       } else if (loginInput.getAuthenticator().equalsIgnoreCase(AuthenticatorType.OAUTH.name())) {
-        // OAuth Authentication
+        // OAuth access code Authentication
         return AuthenticatorType.OAUTH;
       } else if (loginInput
           .getAuthenticator()
@@ -265,6 +274,22 @@ static SFLoginOutput openSession(
     AssertUtil.assertTrue(
         loginInput.getLoginTimeout() >= 0, "negative login timeout for opening session");
 
+    if (getAuthenticator(loginInput).equals(AuthenticatorType.OAUTH_AUTHORIZATION_CODE)) {
+      AssertUtil.assertTrue(
+          loginInput.getClientId() != null,
+          "passing clientId is required for OAUTH_AUTHORIZATION_CODE_FLOW authentication");
+      AssertUtil.assertTrue(
+          loginInput.getClientSecret() != null,
+          "passing clientSecret is required for OAUTH_AUTHORIZATION_CODE_FLOW authentication");
+      OauthAccessTokenProvider accessTokenProvider =
+          new AuthorizationCodeFlowAccessTokenProvider(
+              new SessionUtilExternalBrowser.DefaultAuthExternalBrowserHandlers(),
+              DEFAULT_BROWSER_AUTHORIZATION_TIMEOUT_SECONDS);
+      String oauthAccessToken = accessTokenProvider.getAccessToken(loginInput);
+      loginInput.setAuthenticator(AuthenticatorType.OAUTH.name());
+      loginInput.setToken(oauthAccessToken);
+    }
+
     final AuthenticatorType authenticator = getAuthenticator(loginInput);
     if (!authenticator.equals(AuthenticatorType.OAUTH)) {
       // OAuth does not require a username

src/main/java/net/snowflake/client/core/SessionUtilExternalBrowser.java

@@ -61,7 +61,7 @@ public interface AuthExternalBrowserHandlers {
     void output(String msg);
   }
 
-  static class DefaultAuthExternalBrowserHandlers implements AuthExternalBrowserHandlers {
+  public static class DefaultAuthExternalBrowserHandlers implements AuthExternalBrowserHandlers {
     @Override
     public HttpPost build(URI uri) {
       return new HttpPost(uri);

src/main/java/net/snowflake/client/core/auth/AuthenticatorType.java

@@ -41,5 +41,10 @@ public enum AuthenticatorType {
   /*
    * Authenticator to enable token for regular login with mfa
    */
-  USERNAME_PASSWORD_MFA
+  USERNAME_PASSWORD_MFA,
+
+  /*
+   * Authorization code flow with browser popup
+   */
+  OAUTH_AUTHORIZATION_CODE
 }

src/main/java/net/snowflake/client/core/auth/ClientAuthnDTO.java

@@ -24,12 +24,12 @@ public ClientAuthnDTO(Map<String, Object> data, @Nullable String inFlightCtx) {
     this.inFlightCtx = inFlightCtx;
   }
 
-  /** Required by Jackson */
+  // Required by Jackson
   public Map<String, Object> getData() {
     return data;
   }
 
-  /** Required by Jackson */
+  // Required by Jackson
   public String getInFlightCtx() {
     return inFlightCtx;
   }