Improve getting OAuth tokens

Jan Waś · nineinchnick · commit 5be75c155ae9 · 2025-05-03T14:14:32.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -8,10 +8,8 @@ ADD catalog/ /etc/trino/catalog/disabled/
 ADD docker-entrypoint.sh /usr/local/bin/
 
 ENV OPENAPI_AUTH_TYPE=none \
-    OPENAPI_TOKEN_ENDPOINT=/oauth/token \
     OPENAPI_CLIENT_ID="" \
     OPENAPI_CLIENT_SECRET="" \
-    OPENAPI_GRANT_TYPE=password \
     OPENAPI_USERNAME="" \
     OPENAPI_PASSWORD="" \
     OPENAPI_BEARER_TOKEN="" \
diff --git a/README.md b/README.md
@@ -48,10 +48,8 @@ After reloading Trino, you should be able to connect to the `openapi` catalog.
 | base-uri                      | `OPENAPI_BASE_URI`               | Base URL for the API, often includes API version                                                         |
 | authentication.type           | `OPENAPI_AUTH_TYPE`              | Default authentication type if not set in the specification. One of: `none`, `http`, `api_key`, `oauth`. |
 | authentication.scheme         | `OPENAPI_AUTH_SCHEME`            | Authentication scheme for the `http` authentication type. One of: `basic`, `bearer`.                     |
-| authentication.token-endpoint | `OPENAPI_TOKEN_ENDPOINT`         | OAuth token endpoint URL                                                                                 |
 | authentication.client-id      | `OPENAPI_CLIENT_ID`              | OAuth Client ID                                                                                          |
 | authentication.client-secret  | `OPENAPI_CLIENT_SECRET`          | OAuth Client secret                                                                                      |
-| authentication.grant-type     | `OPENAPI_GRANT_TYPE`             | OAuth grant type                                                                                         |
 | authentication.username       | `OPENAPI_USERNAME`               | Username used for the `http` and `oauth` authentication types                                            |
 | authentication.password       | `OPENAPI_PASSWORD`               | Password used for the `http` and `oauth` authentication types                                            |
 | authentication.bearer-token   | `OPENAPI_BEARER_TOKEN`           | Bearer token for `http` authentication                                                                   |
diff --git a/catalog/jira.properties b/catalog/jira.properties
@@ -2,6 +2,5 @@ connector.name=openapi
 spec-location=https://developer.atlassian.com/cloud/jira/platform/swagger-v3.v3.json
 base-uri=${ENV:JIRA_URL}
 authentication.type=basic
-authentication.token-endpoint=/oauth/token
 authentication.username=${ENV:JIRA_USERNAME}
 authentication.password=${ENV:JIRA_PASSWORD}
diff --git a/catalog/openapi.properties b/catalog/openapi.properties
@@ -2,10 +2,8 @@ connector.name=openapi
 spec-location=${ENV:OPENAPI_SPEC_LOCATION}
 base-uri=${ENV:OPENAPI_BASE_URI}
 authentication.type=${ENV:OPENAPI_AUTH_TYPE}
-authentication.token-endpoint=${ENV:OPENAPI_TOKEN_ENDPOINT}
 authentication.client-id=${ENV:OPENAPI_CLIENT_ID}
 authentication.client-secret=${ENV:OPENAPI_CLIENT_SECRET}
-authentication.grant-type=${ENV:OPENAPI_GRANT_TYPE}
 authentication.username=${ENV:OPENAPI_USERNAME}
 authentication.password=${ENV:OPENAPI_PASSWORD}
 authentication.bearer-token=${ENV:OPENAPI_BEARER_TOKEN}
diff --git a/catalog/petstore.properties b/catalog/petstore.properties
@@ -2,10 +2,8 @@ connector.name=openapi
 spec-location=${ENV:PETSTORE_URL}/openapi.yaml
 base-uri=${ENV:PETSTORE_URL}/v3
 authentication.type=oauth
-authentication.token-endpoint=/oauth/token
 authentication.client-id=sample-client-id
 authentication.client-secret=secret
-authentication.grant-type=password
 authentication.username=user
 authentication.password=user
 authentication.api-key-name=api_key
diff --git a/src/main/java/pl/net/was/OpenApiConfig.java b/src/main/java/pl/net/was/OpenApiConfig.java
@@ -45,10 +45,8 @@ public class OpenApiConfig
     private String apiKeyName;
     private String apiKeyValue;
 
-    private String tokenEndpoint = "/oauth/v2/token";
     private String clientId;
     private String clientSecret;
-    private String grantType;
 
     private double maxRequestsPerSecond = Double.MAX_VALUE;
     private double maxSplitsPerSecond = Double.MAX_VALUE;
@@ -214,19 +212,6 @@ public OpenApiConfig setApiKeyValue(String apiKeyValue)
         return this;
     }
 
-    public String getTokenEndpoint()
-    {
-        return tokenEndpoint;
-    }
-
-    @Config("authentication.token-endpoint")
-    @ConfigDescription("OAuth token endpoint")
-    public OpenApiConfig setTokenEndpoint(String tokenEndpoint)
-    {
-        this.tokenEndpoint = tokenEndpoint;
-        return this;
-    }
-
     public String getClientId()
     {
         return clientId;
@@ -254,19 +239,6 @@ public OpenApiConfig setClientSecret(String clientSecret)
         return this;
     }
 
-    public String getGrantType()
-    {
-        return grantType;
-    }
-
-    @Config("authentication.grant-type")
-    @ConfigDescription("OAuth grant type")
-    public OpenApiConfig setGrantType(String grantType)
-    {
-        this.grantType = grantType;
-        return this;
-    }
-
     public double getMaxRequestsPerSecond()
     {
         return maxRequestsPerSecond;
diff --git a/src/main/java/pl/net/was/authentication/Authentication.java b/src/main/java/pl/net/was/authentication/Authentication.java
@@ -14,14 +14,17 @@
 package pl.net.was.authentication;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.google.common.base.Suppliers;
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
 import com.google.common.collect.ImmutableMap;
 import com.google.inject.Inject;
-import io.airlift.http.client.BodyGenerator;
 import io.airlift.http.client.HttpClient;
 import io.airlift.http.client.HttpRequestFilter;
 import io.airlift.http.client.Request;
 import io.swagger.v3.oas.models.PathItem;
+import io.swagger.v3.oas.models.security.OAuthFlow;
+import io.swagger.v3.oas.models.security.OAuthFlows;
 import io.swagger.v3.oas.models.security.SecurityRequirement;
 import io.swagger.v3.oas.models.security.SecurityScheme;
 import pl.net.was.OpenApiConfig;
@@ -33,10 +36,9 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.function.Supplier;
 
+import static com.google.common.base.MoreObjects.firstNonNull;
 import static com.google.common.io.BaseEncoding.base64Url;
-import static io.airlift.http.client.HttpUriBuilder.uriBuilderFrom;
 import static io.airlift.http.client.JsonResponseHandler.createJsonResponseHandler;
 import static io.airlift.http.client.Request.Builder.fromRequest;
 import static io.airlift.http.client.Request.Builder.preparePost;
@@ -66,11 +68,10 @@ public class Authentication
 
     private final URI baseUri;
     private final HttpClient httpClient;
-    private final BodyGenerator bodyGenerator;
-    private final String tokenEndpoint;
     private final String clientId;
     private final String clientSecret;
-    private final Supplier<String> token = Suppliers.memoize(this::getToken);
+    private final LoadingCache<String, String> tokens = CacheBuilder.newBuilder()
+            .build(CacheLoader.from(this::getToken));
 
     @Inject
     public Authentication(OpenApiConfig config,
@@ -93,13 +94,6 @@ public Authentication(OpenApiConfig config,
 
         this.baseUri = requireNonNull(config.getBaseUri(), "baseUri is null");
         this.httpClient = requireNonNull(httpClient, "httpClient is null");
-        if (config.getGrantType() != null && !config.getGrantType().isEmpty()) {
-            this.bodyGenerator = createStaticBodyGenerator(getBody(config.getGrantType(), config.getUsername(), config.getPassword()), UTF_8);
-        }
-        else {
-            this.bodyGenerator = null;
-        }
-        this.tokenEndpoint = config.getTokenEndpoint();
         this.clientId = config.getClientId();
         this.clientSecret = config.getClientSecret();
     }
@@ -120,7 +114,7 @@ public Request filterRequest(Request request)
                     applyApiKeyAuth(builder, uri, scheme);
                 }
                 case HTTP -> applyHttpAuth(builder, null);
-                case OAUTH -> applyOAuth(builder);
+                case OAUTH -> throw new UnsupportedOperationException("OAuth cannot be used as a default authentication method");
             }
         }
         return builder.build();
@@ -150,7 +144,17 @@ private void applyAuthFilters(Request.Builder builder, List<SecurityRequirement>
                     switch (securitySchema.getType()) {
                         case APIKEY -> applyApiKeyAuth(builder, uri, securitySchema);
                         case HTTP -> applyHttpAuth(builder, securitySchema.getScheme());
-                        case OAUTH2 -> applyOAuth(builder);
+                        case OAUTH2 -> {
+                            OAuthFlows flows = requireNonNull(securitySchema.getFlows(), "flows are null");
+                            OAuthFlow flow = firstNonNull(
+                                    flows.getPassword(),
+                                    firstNonNull(
+                                            flows.getAuthorizationCode(),
+                                            firstNonNull(
+                                                    flows.getClientCredentials(),
+                                                    flows.getImplicit())));
+                            applyOAuth(builder, flow.getAuthorizationUrl());
+                        }
                         default -> throw new IllegalArgumentException(format("Unsupported security schema %s", securitySchema.getType()));
                     }
                 });
@@ -208,7 +212,7 @@ private Request.Builder applyHttpAuth(Request.Builder builder, String scheme)
         return builder.addHeader("Authorization", value);
     }
 
-    private Request.Builder applyOAuth(Request.Builder builder)
+    private Request.Builder applyOAuth(Request.Builder builder, String authorizationUrl)
     {
         // TODO pick one of supported securitySchema.getFlows(), instead of hardcoding clientCredentials
         // TODO use options as scopes
@@ -227,7 +231,7 @@ private Request.Builder applyOAuth(Request.Builder builder)
                       write:pets: modify pets in your account
                       read:pets: read your pets
                  */
-        return builder.addHeader("Authorization", "Bearer " + token.get());
+        return builder.addHeader("Authorization", "Bearer " + tokens.getUnchecked(authorizationUrl));
     }
 
     private static String getAuthHeader(String scheme, String username, String password)
@@ -240,32 +244,30 @@ private static String capitalize(String input)
         return input.substring(0, 1).toUpperCase(Locale.ENGLISH) + input.substring(1).toLowerCase(Locale.ENGLISH);
     }
 
-    private String getToken()
+    private String getToken(String authorizationUrl)
     {
-        requireNonNull(bodyGenerator, "bodyGenerator is null");
         return httpClient.execute(
                         preparePost()
-                                .setUri(uriBuilderFrom(baseUri)
-                                        .replacePath(tokenEndpoint)
-                                        .build())
+                                .setUri(URI.create(authorizationUrl))
                                 .setHeader("Content-Type", "application/x-www-form-urlencoded")
-                                .setHeader("Authorization", "Basic " + base64Url().encode("%s:%s".formatted(clientId, clientSecret).getBytes(UTF_8)))
-                                .setBodyGenerator(bodyGenerator)
+                                .setBodyGenerator(createStaticBodyGenerator(
+                                        getBody("client_credentials", clientId, clientSecret),
+                                        UTF_8))
                                 .build(),
                         createJsonResponseHandler(jsonCodec(Authentication.TokenResponse.class)))
                 .accessToken();
     }
 
-    private static String getBody(String grantType, String username, String password)
+    private static String getBody(String grantType, String clientId, String clientSecret)
     {
         requireNonNull(grantType, "grantType is null");
         ImmutableMap.Builder<String, String> params = ImmutableMap.<String, String>builder()
                 .put("grant_type", grantType);
-        if (username != null && !username.isEmpty()) {
-            params.put("username", username);
+        if (clientId != null && !clientId.isEmpty()) {
+            params.put("client_id", clientId);
         }
-        if (password != null && !password.isEmpty()) {
-            params.put("password", password);
+        if (clientSecret != null && !clientSecret.isEmpty()) {
+            params.put("client_secret", clientSecret);
         }
 
         return params.build().entrySet().stream()
diff --git a/src/test/java/pl/net/was/KeycloakServer.java b/src/test/java/pl/net/was/KeycloakServer.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package pl.net.was;
+
+import io.trino.testing.containers.junit.ReportLeakedContainers;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.wait.strategy.HttpWaitStrategy;
+import org.testcontainers.utility.MountableFile;
+
+import java.io.Closeable;
+
+import static java.lang.String.format;
+import static java.util.Objects.requireNonNull;
+
+public class KeycloakServer
+        implements Closeable
+{
+    private static final int API_PORT = 8080;
+    private static final String TOKEN_PATH = "/realms/trino-realm/protocol/openid-connect/token";
+    private final GenericContainer<?> dockerContainer;
+
+    public KeycloakServer()
+    {
+        dockerContainer = new GenericContainer<>("quay.io/keycloak/keycloak:26.1.4")
+                .withExposedPorts(8080)
+                .withStartupAttempts(3)
+                .withEnv("KC_BOOTSTRAP_ADMIN_USERNAME", "admin")
+                .withEnv("KC_BOOTSTRAP_ADMIN_PASSWORD", "admin")
+                .withCopyFileToContainer(MountableFile.forClasspathResource("test-keycloak-realm.json", 0644), "/opt/keycloak/data/import/realm.json")
+                .waitingFor(new HttpWaitStrategy().forPort(8080).forPath("/realms/master").forStatusCode(200));
+        dockerContainer.withCreateContainerCmdModifier(cmd -> cmd
+                .withCmd("start-dev", "--import-realm")
+                .withHostConfig(requireNonNull(cmd.getHostConfig(), "hostConfig is null")
+                        .withPublishAllPorts(true)));
+        dockerContainer.start();
+        ReportLeakedContainers.ignoreContainerId(dockerContainer.getContainerId());
+    }
+
+    public String getTokenUrl()
+    {
+        return format("http://%s:%s%s", dockerContainer.getHost(), dockerContainer.getMappedPort(API_PORT), TOKEN_PATH);
+    }
+
+    @Override
+    public void close()
+    {
+        dockerContainer.close();
+    }
+}
diff --git a/src/test/java/pl/net/was/OpenApiQueryRunner.java b/src/test/java/pl/net/was/OpenApiQueryRunner.java
@@ -72,7 +72,7 @@ public static void main(String[] args)
     {
         ImmutableMap.Builder<String, String> properties = ImmutableMap.builder();
         if (System.getenv("OPENAPI_SPEC_LOCATION") == null || System.getenv("OPENAPI_BASE_URI") == null) {
-            PetStoreServer server = new PetStoreServer();
+            PetStoreServer server = new PetStoreServer(new KeycloakServer());
             properties.put("spec-location", server.getSpecUrl());
             properties.put("base-uri", server.getApiUrl());
         }
@@ -83,17 +83,15 @@ public static void main(String[] args)
         properties.putAll(Map.of(
                 "openApi.http-client.log.enabled", "true",
                 "openApi.http-client.log.path", "logs",
-                "authentication.type", requireNonNullElse(System.getenv("OPENAPI_AUTH_TYPE"), "oauth"),
+                "authentication.type", requireNonNullElse(System.getenv("OPENAPI_AUTH_TYPE"), "api_key"),
                 "authentication.scheme", requireNonNullElse(System.getenv("OPENAPI_AUTH_SCHEME"), "basic"),
-                "authentication.username", requireNonNullElse(System.getenv("OPENAPI_USERNAME"), "user"),
-                "authentication.password", requireNonNullElse(System.getenv("OPENAPI_PASSWORD"), "user"),
+                "authentication.username", requireNonNullElse(System.getenv("OPENAPI_USERNAME"), "test"),
+                "authentication.password", requireNonNullElse(System.getenv("OPENAPI_PASSWORD"), "abc123"),
                 "authentication.bearer-token", requireNonNullElse(System.getenv("OPENAPI_BEARER_TOKEN"), "")));
-        if (System.getenv("OPENAPI_GRANT_TYPE") != null) {
+        if (System.getenv("OPENAPI_CLIENT_ID") != null) {
             properties.putAll(Map.of(
-                    "authentication.token-endpoint", requireNonNullElse(System.getenv("OPENAPI_TOKEN_ENDPOINT"), "/oauth/token"),
                     "authentication.client-id", requireNonNullElse(System.getenv("OPENAPI_CLIENT_ID"), "sample-client-id"),
-                    "authentication.client-secret", requireNonNullElse(System.getenv("OPENAPI_CLIENT_SECRET"), "secret"),
-                    "authentication.grant-type", System.getenv("OPENAPI_GRANT_TYPE")));
+                    "authentication.client-secret", requireNonNullElse(System.getenv("OPENAPI_CLIENT_SECRET"), "secret")));
         }
         if (System.getenv("OPENAPI_API_KEYS") != null) {
             properties.put("authentication.api-keys", System.getenv("OPENAPI_API_KEYS"));
diff --git a/src/test/java/pl/net/was/PetStoreServer.java b/src/test/java/pl/net/was/PetStoreServer.java
diff --git a/src/test/java/pl/net/was/TestOpenApiQueries.java b/src/test/java/pl/net/was/TestOpenApiQueries.java
diff --git a/src/test/resources/test-keycloak-realm.json b/src/test/resources/test-keycloak-realm.json
