SNOW-1825621 OAuth code flow PKCE support #2137

sfc-gh-mkeller · 2025-01-16T19:22:15Z

Please answer these questions before submitting your pull requests. Thanks!

What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

Fixes SNOW-1825621
Fill out the following pre-review checklist:
- I am adding a new automated test(s) to verify correctness of my new code
- I am adding new logging messages
- I am adding a new telemetry message
- I am modifying authorization mechanisms
- I am adding new credentials
- I am modifying OCSP code
- I am adding a new dependency
Please describe how your code solves the related issue.

This PR builds on top of #2135 and it adds PKCE support on top of OAuth code flow.
This change has been tested manually, as it's fairly complicated to setup and we don't do unit tests for the different authentication methods.

(Optional) PR for stored-proc connector:

sfc-gh-eworoshow

I tried to take a quick look at only the PKCE changes...

src/snowflake/connector/auth/oauth_code.py

sfc-gh-eworoshow · 2025-01-24T21:58:27Z

src/snowflake/connector/auth/oauth_code.py

+                    hashlib.sha256(self._verifier.encode("utf-8")).digest()
+                )
+                .decode("utf-8")
+                .replace("=", "")


if it's URL-safe it shouldn't have any padding?

from https://docs.python.org/3/library/base64.html#base64.urlsafe_b64encode

The result can still contain =.

Unfortunately this remains necessary

sfc-gh-eworoshow

Looks reasonable to me but I'd prefer to stamp after we see a "clean" diff with the preceding work merged first.

sfc-gh-mkeller requested review from sfc-gh-dyadav and sfc-gh-eworoshow January 16, 2025 19:22

sfc-gh-mkeller changed the title ~~SNOW-1825621 OAuth PKCE support~~ SNOW-1825621 OAuth code flow PKCE support Jan 16, 2025

sfc-gh-mkeller force-pushed the mkeller/SNOW-1825621/pkce-support branch from dc687f4 to 3684460 Compare January 16, 2025 19:24

sfc-gh-mkeller added the DO_NOT_PORT_CHANGES_TO_SP Add this label when changes in this PR do not need to be port to SP connector label Jan 16, 2025

sfc-gh-mkeller self-assigned this Jan 16, 2025

sfc-gh-eworoshow reviewed Jan 24, 2025

View reviewed changes

implement PKCE

f9214a7

sfc-gh-mkeller force-pushed the mkeller/SNOW-1825621/pkce-support branch from 4591ea1 to 6ae67ca Compare January 30, 2025 18:27

review feedback

81627af

sfc-gh-mkeller force-pushed the mkeller/SNOW-1825621/pkce-support branch from 6ae67ca to 81627af Compare January 30, 2025 18:31

sfc-gh-eworoshow reviewed Jan 30, 2025

View reviewed changes

sfc-gh-mkeller mentioned this pull request Jan 30, 2025

SNOW-1825621 refresh token implementation and OAuth token cache #2162

Draft

7 tasks

sfc-gh-mkeller changed the base branch from main to mkeller/SNOW-1825621/oauth-code-flow-support January 31, 2025 17:40

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SNOW-1825621 OAuth code flow PKCE support #2137

SNOW-1825621 OAuth code flow PKCE support #2137

sfc-gh-mkeller commented Jan 16, 2025 •

edited

Loading

sfc-gh-eworoshow left a comment

sfc-gh-eworoshow Jan 24, 2025

sfc-gh-mkeller Jan 30, 2025

sfc-gh-eworoshow left a comment

SNOW-1825621 OAuth code flow PKCE support #2137

Are you sure you want to change the base?

SNOW-1825621 OAuth code flow PKCE support #2137

Conversation

sfc-gh-mkeller commented Jan 16, 2025 • edited Loading

sfc-gh-eworoshow left a comment

Choose a reason for hiding this comment

sfc-gh-eworoshow Jan 24, 2025

Choose a reason for hiding this comment

sfc-gh-mkeller Jan 30, 2025

Choose a reason for hiding this comment

sfc-gh-eworoshow left a comment

Choose a reason for hiding this comment

sfc-gh-mkeller commented Jan 16, 2025 •

edited

Loading