JWT Auth

Author: SpencerTorres

clickhouse.go

@@ -375,3 +375,8 @@ func (ch *clickhouse) Close() error {
 		}
 	}
 }
+
+func (ch *clickhouse) UpdateJWT(jwt string) error {
+	ch.opt.Auth.JWT = jwt
+	return nil
+}

clickhouse_options.go

@@ -77,8 +77,12 @@ var compressionMap = map[string]CompressionMethod{
 
 type Auth struct { // has_control_character
 	Database string
+
 	Username string
 	Password string
+
+	// JWT for ClickHouse Cloud. Use this instead of Username and Password if you're using JWT auth.
+	JWT string
 }
 
 type Compression struct {

clickhouse_std.go

@@ -54,7 +54,10 @@ func (o *stdConnOpener) Driver() driver.Driver {
 			debugf = log.New(os.Stdout, "[clickhouse-std] ", 0).Printf
 		}
 	}
-	return &stdDriver{debugf: debugf}
+	return &stdDriver{
+		opt:    o.opt,
+		debugf: debugf,
+	}
 }
 
 func (o *stdConnOpener) Connect(ctx context.Context) (_ driver.Conn, err error) {
@@ -201,6 +204,7 @@ type stdConnect interface {
 }
 
 type stdDriver struct {
+	opt    *Options
 	conn   stdConnect
 	commit func() error
 	debugf func(format string, v ...any)
@@ -382,6 +386,11 @@ func (std *stdDriver) Close() error {
 	return err
 }
 
+func (std *stdDriver) UpdateJWT(jwt string) error {
+	std.opt.Auth.JWT = jwt
+	return nil
+}
+
 type stdBatch struct {
 	batch  ldriver.Batch
 	debugf func(format string, v ...any)

conn.go

@@ -110,7 +110,7 @@ func dial(ctx context.Context, addr string, num int, opt *Options) (*connect, er
 		}
 	)
 
-	if err := connect.handshake(opt.Auth.Database, opt.Auth.Username, opt.Auth.Password); err != nil {
+	if err := connect.handshake(opt.Auth); err != nil {
 		return nil, err
 	}
 

conn_handshake.go

@@ -25,7 +25,11 @@ import (
 	"github.com/ClickHouse/clickhouse-go/v2/lib/proto"
 )
 
-func (c *connect) handshake(database, username, password string) error {
+// jwtAuthMarker is the marker for JSON Web Token authentication in ClickHouse Cloud.
+// At the protocol level this is used in place of a username.
+const jwtAuthMarker = " JWT AUTHENTICATION "
+
+func (c *connect) handshake(auth Auth) error {
 	defer c.buffer.Reset()
 	c.debugf("[handshake] -> %s", proto.ClientHandshake{})
 	// set a read deadline - alternative to context.Read operation will fail if no data is received after deadline.
@@ -43,9 +47,15 @@ func (c *connect) handshake(database, username, password string) error {
 		}
 		handshake.Encode(c.buffer)
 		{
-			c.buffer.PutString(database)
-			c.buffer.PutString(username)
-			c.buffer.PutString(password)
+			c.buffer.PutString(auth.Database)
+
+			if auth.JWT != "" {
+				c.buffer.PutString(jwtAuthMarker)
+				c.buffer.PutString(auth.JWT)
+			} else {
+				c.buffer.PutString(auth.Username)
+				c.buffer.PutString(auth.Password)
+			}
 		}
 		if err := c.flush(); err != nil {
 			return err

conn_http.go

@@ -119,6 +119,34 @@ func (rw *HTTPReaderWriter) reset(pw *io.PipeWriter) io.WriteCloser {
 	}
 }
 
+// applyOptionsToRequest applies the client Options (such as auth, headers, client info) to the given http.Request
+func applyOptionsToRequest(req *http.Request, opt *Options) {
+	if opt.TLS != nil && len(opt.Auth.JWT) > 0 {
+		req.Header.Set("Authorization", "Bearer "+opt.Auth.JWT)
+	} else if opt.TLS != nil && len(opt.Auth.Username) > 0 {
+		req.Header.Set("X-ClickHouse-User", opt.Auth.Username)
+		if len(opt.Auth.Password) > 0 {
+			req.Header.Set("X-ClickHouse-Key", opt.Auth.Password)
+			req.Header.Set("X-ClickHouse-SSL-Certificate-Auth", "off")
+		} else {
+			req.Header.Set("X-ClickHouse-SSL-Certificate-Auth", "on")
+		}
+	} else if opt.TLS == nil && len(opt.Auth.Username) > 0 {
+		if len(opt.Auth.Password) > 0 {
+			req.URL.User = url.UserPassword(opt.Auth.Username, opt.Auth.Password)
+
+		} else {
+			req.URL.User = url.User(opt.Auth.Username)
+		}
+	}
+
+	req.Header.Set("User-Agent", opt.ClientInfo.String())
+
+	for k, v := range opt.HttpHeaders {
+		req.Header.Set(k, v)
+	}
+}
+
 func dialHttp(ctx context.Context, addr string, num int, opt *Options) (*httpConnect, error) {
 	var debugf = func(format string, v ...any) {}
 	if opt.Debug {
@@ -151,29 +179,6 @@ func dialHttp(ctx context.Context, addr string, num int, opt *Options) (*httpCon
 		Path:   opt.HttpUrlPath,
 	}
 
-	headers := make(map[string]string)
-	for k, v := range opt.HttpHeaders {
-		headers[k] = v
-	}
-
-	if opt.TLS == nil && len(opt.Auth.Username) > 0 {
-		if len(opt.Auth.Password) > 0 {
-			u.User = url.UserPassword(opt.Auth.Username, opt.Auth.Password)
-		} else {
-			u.User = url.User(opt.Auth.Username)
-		}
-	} else if opt.TLS != nil && len(opt.Auth.Username) > 0 {
-		headers["X-ClickHouse-User"] = opt.Auth.Username
-		if len(opt.Auth.Password) > 0 {
-			headers["X-ClickHouse-Key"] = opt.Auth.Password
-			headers["X-ClickHouse-SSL-Certificate-Auth"] = "off"
-		} else {
-			headers["X-ClickHouse-SSL-Certificate-Auth"] = "on"
-		}
-	}
-
-	headers["User-Agent"] = opt.ClientInfo.String()
-
 	query := u.Query()
 	if len(opt.Auth.Database) > 0 {
 		query.Set("database", opt.Auth.Database)
@@ -225,6 +230,7 @@ func dialHttp(ctx context.Context, addr string, num int, opt *Options) (*httpCon
 	}
 
 	conn := &httpConnect{
+		opt: opt,
 		client: &http.Client{
 			Transport: t,
 		},
@@ -234,7 +240,6 @@ func dialHttp(ctx context.Context, addr string, num int, opt *Options) (*httpCon
 		blockCompressor: compress.NewWriter(compress.Level(opt.Compression.Level), compress.Method(opt.Compression.Method)),
 		compressionPool: compressionPool,
 		blockBufferSize: opt.BlockBufferSize,
-		headers:         headers,
 	}
 	location, err := conn.readTimeZone(ctx)
 	if err != nil {
@@ -251,6 +256,7 @@ func dialHttp(ctx context.Context, addr string, num int, opt *Options) (*httpCon
 	}
 
 	return &httpConnect{
+		opt: opt,
 		client: &http.Client{
 			Transport: t,
 		},
@@ -261,11 +267,11 @@ func dialHttp(ctx context.Context, addr string, num int, opt *Options) (*httpCon
 		compressionPool: compressionPool,
 		location:        location,
 		blockBufferSize: opt.BlockBufferSize,
-		headers:         headers,
 	}, nil
 }
 
 type httpConnect struct {
+	opt             *Options
 	url             *url.URL
 	client          *http.Client
 	location        *time.Location
@@ -274,7 +280,6 @@ type httpConnect struct {
 	blockCompressor *compress.Writer
 	compressionPool Pool[HTTPReaderWriter]
 	blockBufferSize uint8
-	headers         map[string]string
 }
 
 func (h *httpConnect) isBad() bool {
@@ -456,9 +461,12 @@ func (h *httpConnect) createRequest(ctx context.Context, requestUrl string, read
 	if err != nil {
 		return nil, err
 	}
+
+	applyOptionsToRequest(req, h.opt)
 	for k, v := range headers {
 		req.Header.Add(k, v)
 	}
+
 	var query url.Values
 	if options != nil {
 		query = req.URL.Query()

conn_http_async_insert.go

@@ -38,7 +38,7 @@ func (h *httpConnect) asyncInsert(ctx context.Context, query string, wait bool,
 		}
 	}
 
-	res, err := h.sendQuery(ctx, query, &options, h.headers)
+	res, err := h.sendQuery(ctx, query, &options, nil)
 	if res != nil {
 		defer res.Body.Close()
 		// we don't care about result, so just discard it to reuse connection

conn_http_batch.go

@@ -207,9 +207,7 @@ func (b *httpBatch) Send() (err error) {
 
 	options.settings["query"] = b.query
 	headers["Content-Type"] = "application/octet-stream"
-	for k, v := range b.conn.headers {
-		headers[k] = v
-	}
+
 	res, err := b.conn.sendStreamQuery(b.ctx, r, &options, headers)
 
 	if res != nil {

conn_http_exec.go

@@ -29,7 +29,7 @@ func (h *httpConnect) exec(ctx context.Context, query string, args ...any) error
 		return err
 	}
 
-	res, err := h.sendQuery(ctx, query, &options, h.headers)
+	res, err := h.sendQuery(ctx, query, &options, nil)
 	if res != nil {
 		defer res.Body.Close()
 		// we don't care about result, so just discard it to reuse connection

conn_http_query.go

@@ -42,10 +42,6 @@ func (h *httpConnect) query(ctx context.Context, release func(*connect, error),
 		headers["Accept-Encoding"] = h.compression.String()
 	}
 
-	for k, v := range h.headers {
-		headers[k] = v
-	}
-
 	res, err := h.sendQuery(ctx, query, &options, headers)
 	if err != nil {
 		return nil, err