added credential provider OAuthRefresh only (#419)

added credential provider for OAuthRefresh only

Author: vikrantpuppala

src/main/java/com/databricks/jdbc/api/IDatabricksConnectionContext.java

@@ -182,4 +182,6 @@ public static AuthMech parseAuthMech(String authMech) {
 
   /** Returns the OAuth2 authentication scope used in the request. */
   String getAuthScope();
+
+  String getOAuthRefreshToken();
 }

src/main/java/com/databricks/jdbc/api/impl/DatabricksConnectionContext.java

@@ -618,4 +618,9 @@ public String getOAuthDiscoveryURL() {
   public String getAuthScope() {
     return getParameter(AUTH_SCOPE, ALL_APIS_SCOPE);
   }
+
+  @Override
+  public String getOAuthRefreshToken() {
+    return getParameter(OAUTH_REFRESH_TOKEN);
+  }
 }

src/main/java/com/databricks/jdbc/auth/AuthConstants.java

@@ -0,0 +1,6 @@
+package com.databricks.jdbc.auth;
+
+public class AuthConstants {
+  public static final String GRANT_TYPE_REFRESH_TOKEN_KEY = "refresh_token";
+  public static final String GRANT_TYPE_KEY = "grant_type";
+}

src/main/java/com/databricks/jdbc/auth/AuthUtils.java

@@ -0,0 +1,83 @@
+package com.databricks.jdbc.auth;
+
+import com.databricks.jdbc.api.IDatabricksConnectionContext;
+import com.databricks.jdbc.common.LogLevel;
+import com.databricks.jdbc.common.util.LoggingUtil;
+import com.databricks.jdbc.dbclient.impl.http.DatabricksHttpClient;
+import com.databricks.jdbc.exception.DatabricksHttpException;
+import com.databricks.sdk.core.DatabricksException;
+import com.databricks.sdk.core.oauth.OpenIDConnectEndpoints;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.utils.URIBuilder;
+
+public class AuthUtils {
+  public static String getTokenEndpoint(IDatabricksConnectionContext context) {
+    String tokenUrl;
+    if (context.getTokenEndpoint() != null) {
+      tokenUrl = context.getTokenEndpoint();
+    } else if (context.isOAuthDiscoveryModeEnabled()) {
+      try {
+        tokenUrl = getTokenEndpointFromDiscoveryEndpoint(context);
+      } catch (DatabricksException e) {
+        String exceptionMessage = "Failed to get token endpoint from discovery endpoint";
+        LoggingUtil.log(LogLevel.ERROR, exceptionMessage);
+        throw new DatabricksException(exceptionMessage, e);
+      }
+    } else {
+      try {
+        tokenUrl =
+            new URIBuilder()
+                .setHost(context.getHostForOAuth())
+                .setScheme("https")
+                .setPathSegments("oidc", "v1", "token")
+                .build()
+                .toString();
+      } catch (URISyntaxException e) {
+        String exceptionMessage = "Failed to build token url";
+        LoggingUtil.log(LogLevel.ERROR, exceptionMessage);
+        throw new DatabricksException(exceptionMessage, e);
+      }
+    }
+    return tokenUrl;
+  }
+
+  /*
+   * TODO : The following will be removed once SDK changes are merged
+   * https://github.com/databricks/databricks-sdk-java/pull/336
+   * */
+  private static String getTokenEndpointFromDiscoveryEndpoint(
+      IDatabricksConnectionContext connectionContext) throws DatabricksException {
+    if (connectionContext.getOAuthDiscoveryURL() == null) {
+      String exceptionMessage =
+          "If discovery mode is enabled, we also need the discovery URL to be set.";
+      LoggingUtil.log(LogLevel.ERROR, exceptionMessage);
+      throw new DatabricksException(exceptionMessage);
+    }
+    try {
+      URIBuilder uriBuilder = new URIBuilder(connectionContext.getOAuthDiscoveryURL());
+      DatabricksHttpClient httpClient = DatabricksHttpClient.getInstance(connectionContext);
+      HttpGet getRequest = new HttpGet(uriBuilder.build());
+      try (CloseableHttpResponse response = httpClient.execute(getRequest)) {
+        if (response.getStatusLine().getStatusCode() != 200) {
+          String exceptionMessage =
+              "Error while calling discovery endpoint to fetch token endpoint. Response: "
+                  + response;
+          LoggingUtil.log(LogLevel.DEBUG, exceptionMessage);
+          throw new DatabricksHttpException(exceptionMessage);
+        }
+        OpenIDConnectEndpoints openIDConnectEndpoints =
+            new ObjectMapper()
+                .readValue(response.getEntity().getContent(), OpenIDConnectEndpoints.class);
+        return openIDConnectEndpoints.getTokenEndpoint();
+      }
+    } catch (URISyntaxException | DatabricksHttpException | IOException e) {
+      String exceptionMessage = "Failed to get token endpoint from discovery endpoint";
+      LoggingUtil.log(LogLevel.ERROR, exceptionMessage);
+      throw new DatabricksException(exceptionMessage, e);
+    }
+  }
+}

src/main/java/com/databricks/jdbc/auth/OAuthAuthenticator.java

@@ -4,6 +4,7 @@
 import com.databricks.jdbc.common.DatabricksJdbcConstants;
 import com.databricks.jdbc.exception.DatabricksParsingException;
 import com.databricks.sdk.WorkspaceClient;
+import com.databricks.sdk.core.CredentialsProvider;
 import com.databricks.sdk.core.DatabricksConfig;
 
 public class OAuthAuthenticator {
@@ -31,7 +32,11 @@ else if (this.connectionContext
         .equals(IDatabricksConnectionContext.AuthMech.OAUTH)) {
       switch (this.connectionContext.getAuthFlow()) {
         case TOKEN_PASSTHROUGH:
-          setupAccessTokenConfig(databricksConfig);
+          if (connectionContext.getOAuthRefreshToken() != null) {
+            setupU2MRefreshConfig(databricksConfig);
+          } else {
+            setupAccessTokenConfig(databricksConfig);
+          }
           break;
         case CLIENT_CREDENTIALS:
           setupM2MConfig(databricksConfig);
@@ -65,6 +70,17 @@ public void setupAccessTokenConfig(DatabricksConfig databricksConfig)
         .setToken(connectionContext.getToken());
   }
 
+  public void setupU2MRefreshConfig(DatabricksConfig databricksConfig)
+      throws DatabricksParsingException {
+    CredentialsProvider provider = new OAuthRefreshCredentialsProvider(connectionContext);
+    databricksConfig
+        .setHost(connectionContext.getHostForOAuth())
+        .setAuthType(provider.authType())
+        .setCredentialsProvider(provider)
+        .setClientId(connectionContext.getClientId())
+        .setClientSecret(connectionContext.getClientSecret());
+  }
+
   public void setupM2MConfig(DatabricksConfig databricksConfig) throws DatabricksParsingException {
     databricksConfig
         .setAuthType(DatabricksJdbcConstants.M2M_AUTH_TYPE)

src/main/java/com/databricks/jdbc/auth/OAuthRefreshCredentialsProvider.java

@@ -0,0 +1,91 @@
+package com.databricks.jdbc.auth;
+
+import static com.databricks.jdbc.auth.AuthConstants.*;
+
+import com.databricks.jdbc.api.IDatabricksConnectionContext;
+import com.databricks.jdbc.common.DatabricksJdbcConstants;
+import com.databricks.jdbc.common.LogLevel;
+import com.databricks.jdbc.common.util.LoggingUtil;
+import com.databricks.jdbc.exception.DatabricksParsingException;
+import com.databricks.sdk.core.CredentialsProvider;
+import com.databricks.sdk.core.DatabricksConfig;
+import com.databricks.sdk.core.DatabricksException;
+import com.databricks.sdk.core.HeaderFactory;
+import com.databricks.sdk.core.http.HttpClient;
+import com.databricks.sdk.core.oauth.AuthParameterPosition;
+import com.databricks.sdk.core.oauth.RefreshableTokenSource;
+import com.databricks.sdk.core.oauth.Token;
+import java.time.LocalDateTime;
+import java.util.HashMap;
+import java.util.Map;
+import org.apache.http.HttpHeaders;
+
+public class OAuthRefreshCredentialsProvider extends RefreshableTokenSource
+    implements CredentialsProvider {
+  IDatabricksConnectionContext context;
+  private HttpClient hc;
+  private final String tokenUrl;
+  private final String clientId;
+  private final String clientSecret;
+
+  public OAuthRefreshCredentialsProvider(IDatabricksConnectionContext context) {
+    this.context = context;
+    this.tokenUrl = AuthUtils.getTokenEndpoint(context);
+    try {
+      this.clientId = context.getClientId();
+    } catch (DatabricksParsingException e) {
+      String exceptionMessage = "Failed to parse client id";
+      LoggingUtil.log(LogLevel.ERROR, exceptionMessage);
+      throw new DatabricksException(exceptionMessage, e);
+    }
+    this.clientSecret = context.getClientSecret();
+    // Create an expired dummy token object with the refresh token to use
+    this.token =
+        new Token(
+            DatabricksJdbcConstants.EMPTY_STRING,
+            DatabricksJdbcConstants.EMPTY_STRING,
+            context.getOAuthRefreshToken(),
+            LocalDateTime.now().minusMinutes(1));
+  }
+
+  @Override
+  public String authType() {
+    return "oauth-refresh";
+  }
+
+  @Override
+  public HeaderFactory configure(DatabricksConfig databricksConfig) {
+    if (this.hc == null) {
+      this.hc = databricksConfig.getHttpClient();
+    }
+    return () -> {
+      Map<String, String> headers = new HashMap<>();
+      // An example header looks like: "Authorization: Bearer <access-token>"
+      headers.put(
+          HttpHeaders.AUTHORIZATION, getToken().getTokenType() + " " + getToken().getAccessToken());
+      return headers;
+    };
+  }
+
+  @Override
+  protected Token refresh() {
+    if (this.token == null) {
+      String exceptionMessage = "oauth2: token is not set";
+      LoggingUtil.log(LogLevel.ERROR, exceptionMessage);
+      throw new DatabricksException(exceptionMessage);
+    }
+    String refreshToken = this.token.getRefreshToken();
+    if (refreshToken == null) {
+      String exceptionMessage = "oauth2: token expired and refresh token is not set";
+      LoggingUtil.log(LogLevel.ERROR, exceptionMessage);
+      throw new DatabricksException(exceptionMessage);
+    }
+
+    Map<String, String> params = new HashMap<>();
+    params.put(GRANT_TYPE_KEY, GRANT_TYPE_REFRESH_TOKEN_KEY);
+    params.put(GRANT_TYPE_REFRESH_TOKEN_KEY, refreshToken);
+    Map<String, String> headers = new HashMap<>();
+    return retrieveToken(
+        hc, clientId, clientSecret, tokenUrl, params, headers, AuthParameterPosition.BODY);
+  }
+}

src/main/java/com/databricks/jdbc/auth/PrivateKeyClientCredentialProvider.java

@@ -1,26 +1,17 @@
 package com.databricks.jdbc.auth;
 
 import com.databricks.jdbc.api.IDatabricksConnectionContext;
-import com.databricks.jdbc.common.LogLevel;
-import com.databricks.jdbc.common.util.LoggingUtil;
 import com.databricks.jdbc.dbclient.IDatabricksHttpClient;
 import com.databricks.jdbc.dbclient.impl.http.DatabricksHttpClient;
-import com.databricks.jdbc.exception.DatabricksHttpException;
 import com.databricks.sdk.core.CredentialsProvider;
 import com.databricks.sdk.core.DatabricksConfig;
 import com.databricks.sdk.core.HeaderFactory;
-import com.databricks.sdk.core.oauth.OpenIDConnectEndpoints;
 import com.databricks.sdk.core.oauth.Token;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.annotations.VisibleForTesting;
-import java.io.IOException;
-import java.net.URISyntaxException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
-import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.client.utils.URIBuilder;
+import org.apache.http.HttpHeaders;
 
 public class PrivateKeyClientCredentialProvider implements CredentialsProvider {
 
@@ -30,14 +21,8 @@ public class PrivateKeyClientCredentialProvider implements CredentialsProvider {
   IDatabricksHttpClient httpClient;
 
   public PrivateKeyClientCredentialProvider(IDatabricksConnectionContext connectionContext) {
-    this(connectionContext, DatabricksHttpClient.getInstance(connectionContext));
-  }
-
-  @VisibleForTesting
-  PrivateKeyClientCredentialProvider(
-      IDatabricksConnectionContext connectionContext, IDatabricksHttpClient httpClient) {
     this.connectionContext = connectionContext;
-    this.httpClient = httpClient;
+    this.httpClient = DatabricksHttpClient.getInstance(connectionContext);
   }
 
   @Override
@@ -47,17 +32,7 @@ public String authType() {
 
   @VisibleForTesting
   JwtPrivateKeyClientCredentials getClientCredentialObject(DatabricksConfig config) {
-    tokenEndpoint = connectionContext.getTokenEndpoint();
-    if (tokenEndpoint == null && connectionContext.isOAuthDiscoveryModeEnabled()) {
-      updateOidcFromDiscoveryEndpoint();
-    }
-    if (tokenEndpoint == null) {
-      try {
-        tokenEndpoint = config.getOidcEndpoints().getTokenEndpoint();
-      } catch (IOException e) {
-        LoggingUtil.log(LogLevel.ERROR, "Unable to set default token endpoint with error " + e);
-      }
-    }
+    tokenEndpoint = AuthUtils.getTokenEndpoint(connectionContext);
     return new JwtPrivateKeyClientCredentials.Builder()
         .withHttpClient(this.httpClient)
         .withClientId(config.getClientId())
@@ -76,41 +51,9 @@ public HeaderFactory configure(DatabricksConfig config) {
     return () -> {
       Token token = clientCredentials.getToken();
       Map<String, String> headers = new HashMap<>();
-      headers.put("Authorization", token.getTokenType() + " " + token.getAccessToken());
-      headers.put("Content-Type", "application/x-www-form-urlencoded");
+      headers.put(HttpHeaders.AUTHORIZATION, token.getTokenType() + " " + token.getAccessToken());
+      headers.put(HttpHeaders.CONTENT_TYPE, "application/x-www-form-urlencoded");
       return headers;
     };
   }
-
-  /*
-   * TODO : The following will be removed once SDK changes are merged
-   * https://github.com/databricks/databricks-sdk-java/pull/336
-   * */
-  private void updateOidcFromDiscoveryEndpoint() {
-    if (connectionContext.getOAuthDiscoveryURL() == null) {
-      LoggingUtil.log(
-          LogLevel.ERROR, "If discovery mode is enabled, we also need to put discovery URL");
-      // not throwing exception as the interface does not support it
-      return;
-    }
-    try {
-      URIBuilder uriBuilder = new URIBuilder(connectionContext.getOAuthDiscoveryURL());
-      HttpGet getRequest = new HttpGet(uriBuilder.build());
-      CloseableHttpResponse response = this.httpClient.execute(getRequest);
-      if (response.getStatusLine().getStatusCode() != 200) {
-        LoggingUtil.log(
-            LogLevel.DEBUG,
-            "Error while calling discovery endpoint to fetch token endpoint. Response: "
-                + response);
-      }
-      OpenIDConnectEndpoints openIDConnectEndpoints =
-          new ObjectMapper()
-              .readValue(response.getEntity().getContent(), OpenIDConnectEndpoints.class);
-      tokenEndpoint = openIDConnectEndpoints.getTokenEndpoint();
-    } catch (URISyntaxException | DatabricksHttpException | IOException e) {
-      LoggingUtil.log(
-          LogLevel.ERROR,
-          "Unable to retrieve token and auth endpoint from discovery endpoint. Error " + e);
-    }
-  }
 }

src/main/java/com/databricks/jdbc/common/DatabricksJdbcConstants.java

@@ -95,6 +95,8 @@ public final class DatabricksJdbcConstants {
 
   public static final String AUTH_FLOW = "auth_flow";
 
+  public static final String OAUTH_REFRESH_TOKEN = "OAuthRefreshToken";
+
   /** Only used when AUTH_MECH = 3 */
   public static final String PWD = "pwd";