OAuth: don't override auth headers with contents of .netrc file (#122)

Signed-off-by: Jesse Whitehouse <[email protected]>

Author: Jesse

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 - Add support for Cloud Fetch
 - Fix: Revised SQLAlchemy dialect and examples for compatibility with SQLAlchemy==1.3.x
+- Fix: oauth would fail if expired credentials appeared in ~/.netrc
 
 ## 2.7.0 (2023-06-26)
 

src/databricks/sql/auth/oauth.py

@@ -19,6 +19,22 @@
 logger = logging.getLogger(__name__)
 
 
+class IgnoreNetrcAuth(requests.auth.AuthBase):
+    """This auth method is a no-op.
+
+    We use it to force requestslib to not use .netrc to write auth headers
+    when making .post() requests to the oauth token endpoints, since these
+    don't require authentication.
+
+    In cases where .netrc is outdated or corrupt, these requests will fail.
+
+    See issue #121
+    """
+
+    def __call__(self, r):
+        return r
+
+
 class OAuthManager:
     def __init__(
         self,
@@ -43,7 +59,7 @@ def __fetch_well_known_config(self, hostname: str):
         known_config_url = self.idp_endpoint.get_openid_config_url(hostname)
 
         try:
-            response = requests.get(url=known_config_url)
+            response = requests.get(url=known_config_url, auth=IgnoreNetrcAuth())
         except RequestException as e:
             logger.error(
                 f"Unable to fetch OAuth configuration from {known_config_url}.\n"
@@ -149,7 +165,9 @@ def __send_token_request(token_request_url, data):
             "Accept": "application/json",
             "Content-Type": "application/x-www-form-urlencoded",
         }
-        response = requests.post(url=token_request_url, data=data, headers=headers)
+        response = requests.post(
+            url=token_request_url, data=data, headers=headers, auth=IgnoreNetrcAuth()
+        )
         return response.json()
 
     def __send_refresh_token_request(self, hostname, refresh_token):