Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-1831099: OAuth Client Credentials Flow Implementation #1993

Merged
merged 7 commits into from
Dec 10, 2024

Conversation

sfc-gh-dheyman
Copy link
Contributor

@sfc-gh-dheyman sfc-gh-dheyman commented Dec 9, 2024

Overview

SNOW-1831099

Pre-review self checklist

  • PR branch is updated with all the changes from master branch
  • The code is correctly formatted (run mvn -P check-style validate)
  • New public API is not unnecessary exposed (run mvn verify and inspect target/japicmp/japicmp.html)
  • The pull request name is prefixed with SNOW-XXXX:
  • Code is in compliance with internal logging requirements

External contributors - please answer these questions before submitting a pull request. Thanks!

  1. What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

    Issue: #NNNN

  2. Fill out the following pre-review checklist:

    • I am adding a new automated test(s) to verify correctness of my new code
    • I am adding new logging messages
    • I am modifying authorization mechanisms
    • I am adding new credentials
    • I am modifying OCSP code
    • I am adding a new dependency or upgrading an existing one
    • I am adding new public/protected component not marked with @SnowflakeJdbcInternalApi (note that public/protected methods/fields in classes marked with this annotation are already internal)
  3. Please describe how your code solves the related issue.

    Please write a short description of how your code change solves the related issue.

@sfc-gh-dheyman sfc-gh-dheyman changed the title Oauth client cred flow SNOW-1831099: OAuth Client Credentials Flow Implementation Dec 10, 2024
@sfc-gh-dheyman sfc-gh-dheyman marked this pull request as ready for review December 10, 2024 10:58
@sfc-gh-dheyman sfc-gh-dheyman requested a review from a team as a code owner December 10, 2024 10:58
@@ -16,7 +16,7 @@ public class AssertUtil {
* @param internalErrorMesg The error message to display if condition is false
* @throws SFException Will be thrown if condition is false
*/
static void assertTrue(boolean condition, String internalErrorMesg) throws SFException {
public static void assertTrue(boolean condition, String internalErrorMesg) throws SFException {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

internal?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed.

@@ -842,6 +842,7 @@ private static String executeRequestInternal(
SnowflakeUtil.logResponseDetails(response, logger);

if (response != null) {

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's minimize such unnecessary changes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed

String oauthAccessToken = accessTokenProvider.getAccessToken(loginInput);
loginInput.setAuthenticator(AuthenticatorType.OAUTH.name());
loginInput.setToken(oauthAccessToken);
loginInput.setUserName("0oalpyiuy8rmozhjZ5d7");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like the secret and git guardian should complain

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't though 🤷 Removed it.

@@ -98,10 +97,11 @@ private String exchangeAuthorizationCodeForAccessToken(
TokenRequest request = buildTokenRequest(loginInput, authorizationCode, pkceVerifier);
URI requestUri = request.getEndpointURI();
logger.debug(
"Requesting access token from: {}", requestUri.getAuthority() + requestUri.getPath());
"Requesting OAuth access token from: {}",
requestUri.getAuthority() + requestUri.getPath());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here also let's use parameters without concatenation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

loginInput.getLoginTimeout(),
loginInput.getAuthTimeout(),
loginInput.getSocketTimeoutInMillis(),
0,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what's the 0 here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's retry count. In case of SAML it's also 0 so I wanted this to be consistent.

} else if (loginInput
.getAuthenticator()
.equalsIgnoreCase(AuthenticatorType.OAUTH_CLIENT_CREDENTIALS.name())) {
// OAuth authorization code flow authentication
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it accurate? Do we need this?


private static final SFLogger logger =
SFLoggerFactory.getLogger(AccessTokenProviderFactory.class);
private static final AuthenticatorType[] ELIGIBLE_AUTH_TYPES = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why array? Maybe it can be a set?

}

public static Set<AuthenticatorType> getEligible() {
return new HashSet<>(Arrays.asList(ELIGIBLE_AUTH_TYPES));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can create this value once, right?

import org.apache.http.entity.StringEntity;

@SnowflakeJdbcInternalApi
public class OAuthUtil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need it to be public?

@sfc-gh-dheyman sfc-gh-dheyman merged commit e346a58 into oauth-code-flow Dec 10, 2024
4 of 7 checks passed
@sfc-gh-dheyman sfc-gh-dheyman deleted the oauth-client-cred-flow branch December 10, 2024 14:08
@github-actions github-actions bot locked and limited conversation to collaborators Dec 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants