Remove username as mandatory and IDP_HOST property

Author: sfc-gh-dheyman

src/main/java/net/snowflake/client/core/CredentialManager.java

@@ -4,6 +4,7 @@
 
 package net.snowflake.client.core;
 
+import com.amazonaws.util.StringUtils;
 import com.google.common.base.Strings;
 import java.net.URI;
 import net.snowflake.client.jdbc.ErrorCode;
@@ -131,6 +132,10 @@ static void fillCachedOAuthRefreshToken(SFLoginInput loginInput) throws SFExcept
   synchronized void fillCachedCredential(
       SFLoginInput loginInput, String host, String username, CachedCredentialType credType)
       throws SFException {
+    if (StringUtils.isNullOrEmpty(username)) {
+      logger.debug("Missing username; Cannot read from credential cache");
+      return;
+    }
     if (secureStorageManager == null) {
       logMissingJnaJarForSecureLocalStorage();
       return;
@@ -240,6 +245,10 @@ static void writeOAuthRefreshToken(SFLoginInput loginInput) throws SFException {
   /** Store the temporary credential */
   synchronized void writeTemporaryCredential(
       String host, String user, String cred, CachedCredentialType credType) {
+    if (StringUtils.isNullOrEmpty(user)) {
+      logger.debug("Missing username; Cannot write to credential cache");
+      return;
+    }
     if (Strings.isNullOrEmpty(cred)) {
       logger.debug("No {} is given.", credType);
       return; // no credential
@@ -322,6 +331,10 @@ synchronized void deleteTemporaryCredential(
       logMissingJnaJarForSecureLocalStorage();
       return;
     }
+    if (StringUtils.isNullOrEmpty(user)) {
+      logger.debug("Missing username; Cannot delete from credential cache");
+      return;
+    }
 
     try {
       secureStorageManager.deleteCredential(host, user, credType.getValue());

src/main/java/net/snowflake/client/core/SessionUtil.java

@@ -7,6 +7,7 @@
 import static net.snowflake.client.core.SFTrustManager.resetOCSPResponseCacherServerURL;
 import static net.snowflake.client.jdbc.SnowflakeUtil.systemGetProperty;
 
+import com.amazonaws.util.StringUtils;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.Strings;
@@ -31,7 +32,6 @@
 import net.snowflake.client.core.auth.oauth.AccessTokenProvider;
 import net.snowflake.client.core.auth.oauth.OAuthAccessTokenForRefreshTokenProvider;
 import net.snowflake.client.core.auth.oauth.OAuthAccessTokenProviderFactory;
-import net.snowflake.client.core.auth.oauth.OAuthUtil;
 import net.snowflake.client.core.auth.oauth.TokenResponseDTO;
 import net.snowflake.client.jdbc.ErrorCode;
 import net.snowflake.client.jdbc.SnowflakeDriver;
@@ -286,20 +286,16 @@ static SFLoginOutput openSession(
     final AuthenticatorType authenticator = getAuthenticator(loginInput);
     checkIfExperimentalAuthnEnabled(authenticator);
 
-    if (authenticator.equals(AuthenticatorType.OAUTH)
-        || authenticator.equals(AuthenticatorType.PROGRAMMATIC_ACCESS_TOKEN)) {
-      // OAUTH and PAT needs either token or password
+    if (isTokenOrPasswordRequired(authenticator)) {
       AssertUtil.assertTrue(
           loginInput.getToken() != null || loginInput.getPassword() != null,
           "missing token or password for opening session");
-    } else {
-      // OAuth and PAT do not require a username
+    }
+    if (isUsernameRequired(authenticator)) {
       AssertUtil.assertTrue(
           loginInput.getUserName() != null, "missing user name for opening session");
     }
-    if (authenticator.equals(AuthenticatorType.EXTERNALBROWSER)
-        || authenticator.equals(AuthenticatorType.OAUTH_AUTHORIZATION_CODE)
-        || authenticator.equals(AuthenticatorType.OAUTH_CLIENT_CREDENTIALS)) {
+    if (isEligibleForTokenCaching(authenticator)) {
       if ((Constants.getOS() == Constants.OS.MAC || Constants.getOS() == Constants.OS.WINDOWS)
           && loginInput.isEnableClientStoreTemporaryCredential()) {
         // force to set the flag for Mac/Windows users
@@ -328,7 +324,7 @@ static SFLoginOutput openSession(
       }
     }
 
-    readCachedTokens(loginInput);
+    readCachedTokensIfPossible(loginInput);
 
     if (OAuthAccessTokenProviderFactory.isEligible(getAuthenticator(loginInput))) {
       obtainAuthAccessTokenAndUpdateInput(loginInput);
@@ -362,6 +358,24 @@ static void checkIfExperimentalAuthnEnabled(AuthenticatorType authenticator) thr
     }
   }
 
+  private static boolean isEligibleForTokenCaching(AuthenticatorType authenticator) {
+    return authenticator.equals(AuthenticatorType.EXTERNALBROWSER)
+        || authenticator.equals(AuthenticatorType.OAUTH_AUTHORIZATION_CODE)
+        || authenticator.equals(AuthenticatorType.OAUTH_CLIENT_CREDENTIALS);
+  }
+
+  private static boolean isTokenOrPasswordRequired(AuthenticatorType authenticator) {
+    return authenticator.equals(AuthenticatorType.OAUTH)
+        || authenticator.equals(AuthenticatorType.PROGRAMMATIC_ACCESS_TOKEN);
+  }
+
+  private static boolean isUsernameRequired(AuthenticatorType authenticator) {
+    return !authenticator.equals(AuthenticatorType.OAUTH)
+        && !authenticator.equals(AuthenticatorType.PROGRAMMATIC_ACCESS_TOKEN)
+        && !authenticator.equals(AuthenticatorType.OAUTH_AUTHORIZATION_CODE)
+        && !authenticator.equals(AuthenticatorType.OAUTH_CLIENT_CREDENTIALS);
+  }
+
   private static void obtainAuthAccessTokenAndUpdateInput(SFLoginInput loginInput)
       throws SFException {
     if (loginInput.getOauthAccessToken() != null) { // Access Token was cached
@@ -410,11 +424,13 @@ private static void refreshOAuthAccessTokenAndUpdateInput(SFLoginInput loginInpu
     }
   }
 
-  private static void readCachedTokens(SFLoginInput loginInput) throws SFException {
+  private static void readCachedTokensIfPossible(SFLoginInput loginInput) throws SFException {
     if (asBoolean(loginInput.getSessionParameters().get(CLIENT_STORE_TEMPORARY_CREDENTIAL))) {
-      CredentialManager.fillCachedIdToken(loginInput);
-      CredentialManager.fillCachedOAuthAccessToken(loginInput);
-      CredentialManager.fillCachedOAuthRefreshToken(loginInput);
+      if (!StringUtils.isNullOrEmpty(loginInput.getUserName())) {
+        CredentialManager.fillCachedIdToken(loginInput);
+        CredentialManager.fillCachedOAuthAccessToken(loginInput);
+        CredentialManager.fillCachedOAuthRefreshToken(loginInput);
+      }
     }
 
     if (asBoolean(loginInput.getSessionParameters().get(CLIENT_REQUEST_MFA_TOKEN))) {
@@ -607,10 +623,6 @@ static SFLoginOutput newSession(
       if (authenticatorType == AuthenticatorType.OAUTH
           && loginInput.getOriginalAuthenticator() != null) {
         data.put(ClientAuthnParameter.OAUTH_TYPE.name(), loginInput.getOriginalAuthenticator());
-        URI idpUri =
-            OAuthUtil.getTokenRequestUrl(
-                loginInput.getOauthLoginInput(), loginInput.getServerUrl());
-        data.put(ClientAuthnParameter.IDP_HOST.name(), idpUri.getHost());
       }
 
       // map of client environment parameters, including connection parameters

src/main/java/net/snowflake/client/core/auth/ClientAuthnParameter.java

@@ -21,6 +21,5 @@ public enum ClientAuthnParameter {
   SESSION_PARAMETERS,
   PROOF_KEY,
   TOKEN,
-  OAUTH_TYPE,
-  IDP_HOST
+  OAUTH_TYPE
 }

src/main/java/net/snowflake/client/core/auth/oauth/OAuthAccessTokenProviderFactory.java

@@ -115,10 +115,10 @@ private void assertContainsClientCredentials(
     AssertUtil.assertTrue(
         loginInput.getOauthLoginInput().getClientId() != null,
         String.format(
-            "passing clientId is required for %s authentication", authenticatorType.name()));
+            "passing oauthClientId is required for %s authentication", authenticatorType.name()));
     AssertUtil.assertTrue(
         loginInput.getOauthLoginInput().getClientSecret() != null,
         String.format(
-            "passing clientSecret is required for %s authentication", authenticatorType.name()));
+            "passing oauthClientSecret is required for %s authentication", authenticatorType.name()));
   }
 }

src/main/java/net/snowflake/client/core/auth/oauth/OAuthUtil.java

@@ -10,21 +10,18 @@
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import net.snowflake.client.core.SFOauthLoginInput;
-import net.snowflake.client.core.SnowflakeJdbcInternalApi;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpRequestBase;
 import org.apache.http.entity.StringEntity;
 
-@SnowflakeJdbcInternalApi
-public class OAuthUtil {
+class OAuthUtil {
 
   private static final String SNOWFLAKE_AUTHORIZE_ENDPOINT = "/oauth/authorize";
   private static final String SNOWFLAKE_TOKEN_REQUEST_ENDPOINT = "/oauth/token-request";
 
   private static final String DEFAULT_SESSION_ROLE_SCOPE_PREFIX = "session:role:";
 
-  @SnowflakeJdbcInternalApi
-  public static URI getTokenRequestUrl(SFOauthLoginInput oauthLoginInput, String serverUrl) {
+  static URI getTokenRequestUrl(SFOauthLoginInput oauthLoginInput, String serverUrl) {
     URI uri =
         !StringUtils.isNullOrEmpty(oauthLoginInput.getTokenRequestUrl())
             ? URI.create(oauthLoginInput.getTokenRequestUrl())

src/test/java/net/snowflake/client/core/auth/oauth/OAuthAccessTokenProviderFactoryTest.java

@@ -84,7 +84,7 @@ public void shouldFailToCreateClientCredentialsAccessTokenProviderWithoutClientI
                     AuthenticatorType.OAUTH_CLIENT_CREDENTIALS, loginInput));
     Assertions.assertTrue(
         e.getMessage()
-            .contains("passing clientId is required for OAUTH_CLIENT_CREDENTIALS authentication."));
+            .contains("passing oauthClientId is required for OAUTH_CLIENT_CREDENTIALS authentication."));
   }
 
   @Test
@@ -99,7 +99,7 @@ public void shouldFailToCreateClientCredentialsAccessTokenProviderWithoutClientS
     Assertions.assertTrue(
         e.getMessage()
             .contains(
-                "passing clientSecret is required for OAUTH_CLIENT_CREDENTIALS authentication."));
+                "passing oauthClientSecret is required for OAUTH_CLIENT_CREDENTIALS authentication."));
   }
 
   @Test
@@ -138,7 +138,7 @@ public void shouldFailToCreateAuthzCodeAccessTokenProviderWithoutClientId() {
                     AuthenticatorType.OAUTH_AUTHORIZATION_CODE, loginInput));
     Assertions.assertTrue(
         e.getMessage()
-            .contains("passing clientId is required for OAUTH_AUTHORIZATION_CODE authentication."));
+            .contains("passing oauthClientId is required for OAUTH_AUTHORIZATION_CODE authentication."));
   }
 
   @Test
@@ -153,7 +153,7 @@ public void shouldFailToCreateAuthzCodeAccessTokenProviderWithoutClientSecret()
     Assertions.assertTrue(
         e.getMessage()
             .contains(
-                "passing clientSecret is required for OAUTH_AUTHORIZATION_CODE authentication."));
+                "passing oauthClientSecret is required for OAUTH_AUTHORIZATION_CODE authentication."));
   }
 
   @Test

src/test/resources/wiremock/mappings/oauth/token_caching/caching_refreshed_access_token_and_new_refresh_token.json

@@ -35,8 +35,7 @@
                 "TOKEN": "expired-access-token-123",
                 "LOGIN_NAME": "MOCK_USERNAME",
                 "AUTHENTICATOR": "OAUTH",
-                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS",
-                "IDP_HOST": "localhost"
+                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS"
               }
             },
             "ignoreExtraElements": true

src/test/resources/wiremock/mappings/oauth/token_caching/caching_tokens_after_connecting.json

@@ -69,8 +69,7 @@
                 "TOKEN": "access-token-123",
                 "LOGIN_NAME": "MOCK_USERNAME",
                 "AUTHENTICATOR": "OAUTH",
-                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS",
-                "IDP_HOST": "localhost"
+                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS"
               }
             },
             "ignoreExtraElements" : true

src/test/resources/wiremock/mappings/oauth/token_caching/refreshing_expired_access_token.json

@@ -35,8 +35,7 @@
                 "TOKEN": "expired-access-token-123",
                 "LOGIN_NAME": "MOCK_USERNAME",
                 "AUTHENTICATOR": "OAUTH",
-                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS",
-                "IDP_HOST": "localhost"
+                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS"
               }
             },
             "ignoreExtraElements": true

src/test/resources/wiremock/mappings/oauth/token_caching/restarting_full_flow_on_expiration_and_no_refresh_token.json

@@ -124,8 +124,7 @@
                 "TOKEN": "newly-obtained-access-token-123",
                 "LOGIN_NAME": "MOCK_USERNAME",
                 "AUTHENTICATOR": "OAUTH",
-                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS",
-                "IDP_HOST": "localhost"
+                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS"
               }
             },
             "ignoreExtraElements": true

src/test/resources/wiremock/mappings/oauth/token_caching/restarting_full_flow_on_refresh_token_error.json

@@ -35,8 +35,7 @@
                 "TOKEN": "expired-access-token-123",
                 "LOGIN_NAME": "MOCK_USERNAME",
                 "AUTHENTICATOR": "OAUTH",
-                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS",
-                "IDP_HOST": "localhost"
+                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS"
               }
             },
             "ignoreExtraElements": true

src/test/resources/wiremock/mappings/oauth/token_caching/reusing_cached_access_token_to_authenticate.json

@@ -35,8 +35,7 @@
                 "TOKEN": "reused-access-token-123",
                 "LOGIN_NAME": "MOCK_USERNAME",
                 "AUTHENTICATOR": "OAUTH",
-                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS",
-                "IDP_HOST": "localhost"
+                "OAUTH_TYPE": "OAUTH_CLIENT_CREDENTIALS"
               }
             },
             "ignoreExtraElements" : true