Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support refresh tokens (#2126) #2141

Merged
merged 2 commits into from
Feb 19, 2020
Merged

Conversation

beckjake
Copy link
Contributor

@beckjake beckjake commented Feb 17, 2020

resolves #2126

Description

Support refresh tokens by requesting client_id, client_secret, and a refresh token
Add a little webserver that spits out a refresh token given a client ID + client secret
Add tests
You can opt-out of running the new tests by exporting DBT_INTEGRATION_TEST_SNOWFLAKE_OAUTH_DISABLED=1 into your test environment.

Checklist

  • I have signed the CLA
  • I have run this code in development and it appears to resolve the stated issue
  • This PR includes tests, or tests are not required/relevant for this PR
  • I have updated the CHANGELOG.md and added information about my change to the "dbt next" section.

@cla-bot cla-bot bot added the cla:yes label Feb 17, 2020
@beckjake beckjake force-pushed the feature/snowflake-refresh-token branch 2 times, most recently from 9d1df6c to bf2c414 Compare February 17, 2020 23:26
@beckjake beckjake requested a review from drewbanin February 18, 2020 00:16
Add a little webserver that spits out a refresh token
Add tests + notes on test support
@beckjake beckjake force-pushed the feature/snowflake-refresh-token branch from bf2c414 to d5c24b0 Compare February 18, 2020 17:44
@beckjake beckjake changed the base branch from dev/barbara-gittings to dev/0.15.3 February 18, 2020 17:44
@beckjake
Copy link
Contributor Author

Rebasing this against 0.15.3 made appveyor think it was relevant

Copy link
Contributor

@drewbanin drewbanin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks excellent! Two minor comments here - happy to discuss both of them further!

result = requests.post(token_url, headers=headers, data=data)
result_json = result.json()
if 'access_token' not in result_json:
raise DatabaseException(f'Did not get a token: {result_json}')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you know what kind of contents would be returned in result_json here? I'm just worried that this could print sensitive-ish info out to the console, like a client id or client secret. If there's a chance that could happen, we should probably stringify the json and mask out creds if we can!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I usually got error messages about invalid client IDs. I don't think it returns sensitive information, it was actually very annoying to debug because of that (which is good/normal security practice for an endpoint like this):

Encountered an error:
Database Error
  Did not get a token: {'data': None, 'message': 'This is an invalid client.', 'code': None, 'success': False, 'error': 'invalid_client'}

from test.integration.base import DBTIntegrationTest, use_profile


class TestSnowflakeOauth(DBTIntegrationTest):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we make this test optional? It should definitely run in our test env, but I think some folks might think twice about creating security integrations in their own snowflake accounts to run these tests :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How optional? Opt-in, or opt-out?

@beckjake beckjake merged commit 5dd9c99 into dev/0.15.3 Feb 19, 2020
@beckjake beckjake deleted the feature/snowflake-refresh-token branch February 19, 2020 19:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

snowflake oauth: take refresh_token instead of access_token
2 participants