Replace Deprecated (Current) OAuth2 Handling with AuthManager Implementation LegacyOAuth2AuthManager

[sungwy]

Rationale for this change

Replace existing Auth handling with LegacyOAuth2AuthManager. Tracking issue: #1909

There will be follow up PRs to this PR that will address the following:

• introduce a mechanism for using a custom AuthManager implementation, along with the ability to use a set of config parameters
• introduce a OAuth2AuthManager that more closely follows the OAuth2 protocol, and also uses a separate thread to proactively refreshes the token, rather than reactively refreshing the token on UnAuthorizedError or the deprecated AuthorizationExpiredError.

Are these changes tested?

Yes, both through unit and integration tests

Are there any user-facing changes?

Yes - previously, if TOKEN and CREDENTIAL are both defined, oauth/tokens endpoint wouldn't be used to refresh the token with client credentials when the RestCatalog was initialized. However, oauth/tokens endpoint would be used on retries that handled 401 or 419 error.

This erratic behavior will now be updated as follows:

• if CREDENTIAL is defined, oauth/tokens endpoint will be used to fetch the access token using the client credentials both when the RestCatalog is initialized, and when the refresh_tokens call is made as a reaction to 401 or 419 error.
• if both CREDENTIAL and TOKEN are defined, we will follow the above behavior.
• if only TOKEN is defined, the initial token will be used instead

[Fokko]

Any way to avoid this?

[sungwy]

@Fokko Yeah I thought about this and this is my thought process for giving up on fixing this:

• This is the current behavior of the OAuth2 based token exchange workflow, where _create_session() is called during init() and _fetch_config(). I think this is inherently okay, but the behavior of the current token fetcher is to refresh the token when _create_session() is called. In the future, we'd want to have an OAuth2AuthManager that refreshes the token through a background thread, and does this proactively by keeping track of the token expiration.
• The reason this specific test seemingly behaved correctly before, is because of an unfortunate bug, where if the TOKEN and CLIENT_CREDENTIAL are both defined, _create_session doesn't fetch the token using the CLIENT_CREDENTIAL in the above two calls, but fetches the token using CLIENT_CREDENTIAL on retry - notice that the input parameter of the retry hook is missing the TOKEN value
• Given that the current method of fetching tokens LegacyOAuth2AuthManager will be deprecated, I thought it would be okay to try to improve this behavior

[Fokko]

Got it, thanks for the clarification. Sounds good to change this until the LegacyManager will be deprecated 👍

[Fokko]

Looks good @sungwy left some small comments, but looks great 🙌

[Fokko]

Thanks @sungwy for driving this 🚀