SNOW-1825482: PAT + OAuth Authorization Code + OAuth Client Credentials support #1978
Conversation
sfc-gh-dheyman
force-pushed
the
oauth-code-flow
branch
from
119a205 to
195ff36
Compare
sfc-gh-dheyman
force-pushed
the
oauth-code-flow
branch
from
ec6effb to
a3dad01
Compare
…bc into oauth-code-flow
sfc-gh-dheyman
changed the title
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
| @@ -218,6 +219,11 @@ | |||
| <artifactId>nimbus-jose-jwt</artifactId> | |||
| <version>${nimbusds.version}</version> | |||
| </dependency> | |||
| <dependency> | |||
| <groupId>com.nimbusds</groupId> | |||
| <artifactId>oauth2-oidc-sdk</artifactId> | |||
There was a problem hiding this comment.
do we have security review finished for this library?
| TokenRequest request = buildTokenRequest(loginInput, authorizationCode, pkceVerifier); | ||
| URI requestUri = request.getEndpointURI(); | ||
| logger.debug( | ||
| "Requesting access token from: " + requestUri.getAuthority() + requestUri.getPath()); |
There was a problem hiding this comment.
please use logger parameters instead of string concatenation, also in other logs
...main/java/net/snowflake/client/core/auth/oauth/AuthorizationCodeFlowAccessTokenProvider.java
Outdated
Show resolved
Hide resolved
...main/java/net/snowflake/client/core/auth/oauth/AuthorizationCodeFlowAccessTokenProvider.java
Outdated
Show resolved
Hide resolved
...main/java/net/snowflake/client/core/auth/oauth/AuthorizationCodeFlowAccessTokenProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/net/snowflake/client/core/auth/oauth/TokenResponseDTO.java
Show resolved
Hide resolved
| @@ -29,6 +29,12 @@ public enum SFSessionProperty { | |||
| AUTHENTICATOR("authenticator", false, String.class), | |||
| OKTA_USERNAME("oktausername", false, String.class), | |||
| PRIVATE_KEY("privateKey", false, PrivateKey.class), | |||
| OAUTH_REDIRECT_URI("redirectUri", false, String.class), | |||
| CLIENT_ID("clientID", false, String.class), | |||
There was a problem hiding this comment.
oauthClientId, oauthClientSecret etc.?
There was a problem hiding this comment.
I'd prefer not to introduce new parameters, after all user can use only one authentication type at a time
| }, | ||
| "bodyPatterns": [ | ||
| { | ||
| "contains": "grant_type=authorization_code&code=123&redirect_uri=http%3A%2F%2Flocalhost%3A8001%2Fsnowflake%2Foauth-redirect&code_verifier=" |
There was a problem hiding this comment.
Please verify if we indeed use PKCE
There was a problem hiding this comment.
yes, we need to.
| } | ||
|
|
||
| @Test | ||
| public void browserTimeoutFlowScenario() { |
There was a problem hiding this comment.
These error tests seem very similar, maybe we could make them parameterized? For keeping descriptive names, see Arguments.argumentSet (in case of @ArgumentProvider).
There was a problem hiding this comment.
I'd do it after client credentials flow is added, because I'm not yet sure if these will remain as they are.
| /* | ||
| * Authorization code flow with browser popup | ||
| */ | ||
| OAUTH_AUTHORIZATION_CODE |
There was a problem hiding this comment.
maybe CLIENT_OAUTH would be a good name from this OAuth flows to make it different than OAuth and indicate it's on client side, WDYT? @sfc-gh-dprzybysz @sfc-gh-dheyman @sfc-gh-pfus
There was a problem hiding this comment.
I don't like it. CLIENT_OAUTH is too generic. Dawid's name seems better to me.
There was a problem hiding this comment.
I would rather change the original OAUTH authenticator to OAUTH_ACCESS_TOKEN or something like that, but I understand it would be a BCR.
There was a problem hiding this comment.
@sfc-gh-eworoshow WDYT? did you go through any naming discussion already
There was a problem hiding this comment.
I see a couple options:
AUTHENTICATOR=OAUTHplusOAUTH_FLOW={TOKEN | AUTHORIZATION_CODE | CLIENT_CREDENTIALS }, whereTOKENis our existing default.AUTHENTICATOR={OAUTH | OAUTH_ACCESS_TOKEN, alias of OAUTH | OAUTH_AUTHORIZATION_CODE | ... }.
In both cases I think we should use the "standard" name for the OAuth flow we're implementing.
linkage-checker-exclusion-rules.xml
Outdated
| @@ -14,11 +14,6 @@ | |||
| <Source><Package name="com.nimbusds.jose"/></Source> | |||
| <Reason>Optional</Reason> | |||
| </LinkageError> | |||
| <LinkageError> | |||
| <Target><Package name="org.brotli.dec"/></Target> | |||
There was a problem hiding this comment.
Why do we want to delete these lines?
| /* | ||
| * Authorization code flow with browser popup | ||
| */ | ||
| OAUTH_AUTHORIZATION_CODE |
There was a problem hiding this comment.
I don't like it. CLIENT_OAUTH is too generic. Dawid's name seems better to me.
| String code = codeFuture.get(this.browserAuthorizationTimeoutSeconds, TimeUnit.SECONDS); | ||
| return new AuthorizationCode(code); | ||
| } catch (Exception e) { | ||
| if (e instanceof TimeoutException) { |
There was a problem hiding this comment.
Why not catch (TimeoutException)?
There was a problem hiding this comment.
good idea, fixed.
| private final long expiresIn; | ||
| private final long refreshTokenExpiresIn; | ||
|
|
||
| @JsonCreator(mode = JsonCreator.Mode.PROPERTIES) |
There was a problem hiding this comment.
What if some of these properties are missing? Will nulls be used?
| @@ -0,0 +1,51 @@ | |||
| package net.snowflake.client.core; | |||
There was a problem hiding this comment.
let's add license header like in other files
| try { | ||
| TokenRequest request = buildTokenRequest(loginInput, authorizationCode, pkceVerifier); | ||
| URI requestUri = request.getEndpointURI(); | ||
| logger.debug( | ||
| "Requesting access token from: " + requestUri.getAuthority() + requestUri.getPath()); | ||
| "Requesting access token from: {}", requestUri.getAuthority() + requestUri.getPath()); |
There was a problem hiding this comment.
you can concatenate in formatted string:
"Requesting access token from: {}{}", requestUri.getAuthority(), requestUri.getPath()
|
|
||
| @SnowflakeJdbcInternalApi |
There was a problem hiding this comment.
package scope class does not need internal annotation
sfc-gh-dheyman
changed the title
Overview
SNOW-1825482: PAT + OAuth Authorization Code + OAuth Client Credentials support
Pre-review self checklist
masterbranchmvn -P check-style validate)mvn verifyand inspecttarget/japicmp/japicmp.html)SNOW-XXXX:External contributors - please answer these questions before submitting a pull request. Thanks!
What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.
Issue: #NNNN
Fill out the following pre-review checklist:
@SnowflakeJdbcInternalApi(note that public/protected methods/fields in classes marked with this annotation are already internal)Please describe how your code solves the related issue.
Please write a short description of how your code change solves the related issue.