SNOW-1825482: PAT + OAuth Authorization Code + OAuth Client Credentials support

[sfc-gh-dheyman]

Overview

SNOW-1825482: PAT + OAuth Authorization Code + OAuth Client Credentials support

Pre-review self checklist

• PR branch is updated with all the changes from master branch
• The code is correctly formatted (run mvn -P check-style validate)
• New public API is not unnecessary exposed (run mvn verify and inspect target/japicmp/japicmp.html)
• The pull request name is prefixed with SNOW-XXXX:
• Code is in compliance with internal logging requirements

External contributors - please answer these questions before submitting a pull request. Thanks!

1. What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

   Issue: #NNNN

2. Fill out the following pre-review checklist:

   • I am adding a new automated test(s) to verify correctness of my new code
   • I am adding new logging messages
   • I am modifying authorization mechanisms
   • I am adding new credentials
   • I am modifying OCSP code
   • I am adding a new dependency or upgrading an existing one
   • I am adding new public/protected component not marked with @SnowflakeJdbcInternalApi (note that public/protected methods/fields in classes marked with this annotation are already internal)

3. Please describe how your code solves the related issue.

   Please write a short description of how your code change solves the related issue.

[gitguardian]

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

---

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}

[sfc-gh-dprzybysz]

please use logger parameters instead of string concatenation, also in other logs

[sfc-gh-dheyman]

Done.

[sfc-gh-jszczerbinski]

Looks good to me in general, I will need a second look once I get some more knowledge about OAuth

[sfc-gh-jszczerbinski]

oauthClientId, oauthClientSecret etc.?

[sfc-gh-dheyman]

I'd prefer not to introduce new parameters, after all user can use only one authentication type at a time

[sfc-gh-jszczerbinski]

Please verify if we indeed use PKCE

[sfc-gh-dheyman]

yes, we need to.

[sfc-gh-mhofman]

maybe CLIENT_OAUTH would be a good name from this OAuth flows to make it different than OAuth and indicate it's on client side, WDYT? @sfc-gh-dprzybysz @sfc-gh-dheyman @sfc-gh-pfus

[sfc-gh-pfus]

I don't like it. CLIENT_OAUTH is too generic. Dawid's name seems better to me.

[sfc-gh-dheyman]

I would rather change the original OAUTH authenticator to OAUTH_ACCESS_TOKEN or something like that, but I understand it would be a BCR.

[sfc-gh-mhofman]

@sfc-gh-eworoshow WDYT? did you go through any naming discussion already

[sfc-gh-eworoshow]

I see a couple options:

1. AUTHENTICATOR=OAUTH plus OAUTH_FLOW={TOKEN | AUTHORIZATION_CODE | CLIENT_CREDENTIALS }, where TOKEN is our existing default.
2. AUTHENTICATOR={OAUTH | OAUTH_ACCESS_TOKEN, alias of OAUTH | OAUTH_AUTHORIZATION_CODE | ... }.

In both cases I think we should use the "standard" name for the OAuth flow we're implementing.

[sfc-gh-pfus]

I don't like it. CLIENT_OAUTH is too generic. Dawid's name seems better to me.

[sfc-gh-eworoshow]

I didn't review the whole PR, I just wanted to opine on a couple points I learned about indirectly 🙂

[sfc-gh-eworoshow]

We should use http://127.0.0.1 for compliance with RFC 8252 which strongly recommends not listening on localhost but rather on the IPv4 loopback interface.

[sfc-gh-dheyman]

Thanks, had no idea about this. Will adjust.

[sfc-gh-eworoshow]

We should perhaps omit the path here, since I want the Snowflake OAuth "driver" OAuth integration to work more straightforwardly for other use cases (e.g., customer code)

[sfc-gh-dheyman]

Good idea.

[sfc-gh-astachowski]

Maybe we could change the type in OAuthAccessTokenProviderFactory (and down the line) to be long? From what I understand this parameter is only ever used cast to long either way.

[sfc-gh-astachowski]

With the changes made, this cast is unnecessary