SNOW-2068668 Move OAuth out of PrPr flag (#2301)

sfc-gh-mmishchenko · web-flow · commit fd574d3b1f60 · 2025-04-28T19:20:51.000+02:00
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -8,8 +8,16 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
 
 # Release Notes
 - v3.15(TBD)
-  - Bumped up min boto and botocore version to 1.24
-  - OCSP: terminate certificates chain traversal if a trusted certificate already reached
+  - Bumped up min boto and botocore version to 1.24.
+  - OCSP: terminate certificates chain traversal if a trusted certificate already reached.
+  - Added new authentication methods support for programmatic access tokens (PATs), OAuth 2.0 Authorization Code Flow, OAuth 2.0 Client Credentials Flow, and OAuth Token caching.
+    - For OAuth 2.0 Authorization Code Flow:
+      - Added the `oauth_client_id`, `oauth_client_secret`, `oauth_authorization_url`, `oauth_token_request_url`, `oauth_redirect_uri`, `oauth_scope`, `oauth_disable_pkce`, `oauth_enable_refresh_tokens` and `oauth_enable_single_use_refresh_tokens` parameters.
+      - Added the `OAUTH_AUTHORIZATION_CODE` value for the parameter authenticator.
+    - For OAuth 2.0 Client Credentials Flow:
+      - Added the `oauth_client_id`, `oauth_client_secret`, `oauth_token_request_url`, and `oauth_scope` parameters.
+      - Added the `OAUTH_CLIENT_CREDENTIALS` value for the parameter authenticator.
+    - For OAuth Token caching: Passing a username to driver configuration is required, and the `client_store_temporary_credential property` is to be set to `true`.
 
 - v3.14.1(April 21, 2025)
   - Added support for Python 3.13.
diff --git a/src/snowflake/connector/connection.py b/src/snowflake/connector/connection.py
@@ -346,8 +346,8 @@ def _get_private_bytes_from_file(
         str,
         # SNOW-1825621: OAUTH implementation
     ),
-    "oauth_enable_pkce": (
-        True,
+    "oauth_disable_pkce": (
+        False,
         bool,
         # SNOW-1825621: OAUTH PKCE
     ),
@@ -1204,7 +1204,6 @@ def __open_connection(self):
                     backoff_generator=self._backoff_generator,
                 )
             elif self._authenticator == OAUTH_AUTHORIZATION_CODE:
-                self._check_experimental_authentication_flag()
                 self._check_oauth_parameters()
                 if self._role and (self._oauth_scope == ""):
                     # if role is known then let's inject it into scope
@@ -1221,7 +1220,7 @@ def __open_connection(self):
                     ),
                     redirect_uri=self._oauth_redirect_uri,
                     scope=self._oauth_scope,
-                    pkce_enabled=self._oauth_enable_pkce,
+                    pkce_enabled=not self._oauth_disable_pkce,
                     token_cache=(
                         auth.get_token_cache()
                         if self._client_store_temporary_credential
@@ -1232,7 +1231,6 @@ def __open_connection(self):
                     enable_single_use_refresh_tokens=self._oauth_enable_single_use_refresh_tokens,
                 )
             elif self._authenticator == OAUTH_CLIENT_CREDENTIALS:
-                self._check_experimental_authentication_flag()
                 self._check_oauth_parameters()
                 if self._role and (self._oauth_scope == ""):
                     # if role is known then let's inject it into scope
diff --git a/test/unit/test_oauth_token.py b/test/unit/test_oauth_token.py
@@ -138,7 +138,6 @@ def test_oauth_code_successful_flow(
     monkeypatch,
     omit_oauth_urls_check,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     monkeypatch.setenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "true")
 
     wiremock_client.import_mapping(
@@ -181,7 +180,6 @@ def test_oauth_code_invalid_state(
     monkeypatch,
     omit_oauth_urls_check,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     monkeypatch.setenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "true")
 
     wiremock_client.import_mapping(
@@ -217,7 +215,6 @@ def test_oauth_code_scope_error(
     webbrowser_mock,
     monkeypatch,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     monkeypatch.setenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "true")
 
     wiremock_client.import_mapping(
@@ -254,7 +251,6 @@ def test_oauth_code_token_request_error(
     monkeypatch,
     omit_oauth_urls_check,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     monkeypatch.setenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "true")
 
     with WiremockClient() as wiremock_client:
@@ -293,7 +289,6 @@ def test_oauth_code_browser_timeout(
     monkeypatch,
     omit_oauth_urls_check,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     monkeypatch.setenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "true")
 
     wiremock_client.import_mapping(
@@ -335,7 +330,6 @@ def test_oauth_code_custom_urls(
     monkeypatch,
     omit_oauth_urls_check,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     monkeypatch.setenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "true")
 
     wiremock_client.import_mapping(
@@ -379,7 +373,6 @@ def test_oauth_code_successful_refresh_token_flow(
     temp_cache,
     omit_oauth_urls_check,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     monkeypatch.setenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "true")
 
     wiremock_client.import_mapping(
@@ -440,7 +433,6 @@ def test_oauth_code_expired_refresh_token_flow(
     temp_cache,
     omit_oauth_urls_check,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     monkeypatch.setenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "true")
 
     wiremock_client.import_mapping(
@@ -522,7 +514,6 @@ def test_client_creds_successful_flow(
     wiremock_generic_mappings_dir,
     monkeypatch,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     wiremock_client.import_mapping(
         wiremock_oauth_client_creds_dir / "successful_flow.json"
     )
@@ -557,7 +548,6 @@ def test_client_creds_token_request_error(
     wiremock_generic_mappings_dir,
     monkeypatch,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
     wiremock_client.import_mapping(
         wiremock_oauth_client_creds_dir / "token_request_error.json"
     )
@@ -597,8 +587,6 @@ def test_client_creds_successful_refresh_token_flow(
     monkeypatch,
     temp_cache,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
-
     wiremock_client.import_mapping(
         wiremock_generic_mappings_dir / "snowflake_login_failed.json"
     )
@@ -653,8 +641,6 @@ def test_client_creds_expired_refresh_token_flow(
     monkeypatch,
     temp_cache,
 ) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "true")
-
     wiremock_client.import_mapping(
         wiremock_generic_mappings_dir / "snowflake_login_failed.json"
     )
@@ -701,44 +687,3 @@ def test_client_creds_expired_refresh_token_flow(
     new_refresh_token = temp_cache.retrieve(refresh_token_key)
     assert new_access_token == "access-token-123"
     assert new_refresh_token == "refresh-token-123"
-
-
-@pytest.mark.skipolddriver
-@pytest.mark.parametrize(
-    "authenticator", ["OAUTH_AUTHORIZATION_CODE", "OAUTH_CLIENT_CREDENTIALS"]
-)
-def test_auth_is_experimental(
-    authenticator,
-    monkeypatch,
-) -> None:
-    monkeypatch.delenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", False)
-    with pytest.raises(
-        snowflake.connector.ProgrammingError,
-        match=r"SF_ENABLE_EXPERIMENTAL_AUTHENTICATION",
-    ):
-        snowflake.connector.connect(
-            user="testUser",
-            account="testAccount",
-            authenticator=authenticator,
-        )
-
-
-@pytest.mark.skipolddriver
-@pytest.mark.skipolddriver
-@pytest.mark.parametrize(
-    "authenticator", ["OAUTH_AUTHORIZATION_CODE", "OAUTH_CLIENT_CREDENTIALS"]
-)
-def test_auth_experimental_when_variable_set_to_false(
-    authenticator,
-    monkeypatch,
-) -> None:
-    monkeypatch.setenv("SF_ENABLE_EXPERIMENTAL_AUTHENTICATION", "false")
-    with pytest.raises(
-        snowflake.connector.ProgrammingError,
-        match=r"SF_ENABLE_EXPERIMENTAL_AUTHENTICATION",
-    ):
-        snowflake.connector.connect(
-            user="testUser",
-            account="testAccount",
-            authenticator="OAUTH_CLIENT_CREDENTIALS",
-        )
