Skip to content

Commit 99ffa43

Browse files
davidradldavidradl
authored
HTTP-91 Bearer token support (#117)
* HTTP-91 bearer token support Signed-off-by: davidradl <david_radley@uk.ibm.com>
1 parent 05d3b47 commit 99ffa43

20 files changed

+677
-56
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@
22

33
## [Unreleased]
44

5+
### Added
6+
7+
- Added support for OIDC Bearer tokens.
8+
59
## [0.15.0] - 2024-07-30
610

711
### Added

README.md

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -337,6 +337,9 @@ CREATE TABLE http (
337337
)
338338
```
339339

340+
Note that when using OIDC, it adds an `Authentication` header with the bearer token; this will override
341+
an existing `Authorization` header specified in configuration.
342+
340343
#### Custom request/response callback
341344

342345
- Http Sink processes responses that it gets from the HTTP endpoint along their respective requests. One can customize the
@@ -410,13 +413,30 @@ In this special case, you can configure connector to trust all certificates with
410413
To enable this option use `gid.connector.http.security.cert.server.allowSelfSigned` property setting its value to `true`.
411414

412415
## Basic Authentication
413-
The connector supports Basic Authentication mechanism using HTTP `Authorization` header.
416+
The connector supports Basic Authentication using a HTTP `Authorization` header.
414417
The header value can be set via properties, similarly as for other headers. The connector converts the passed value to Base64 and uses it for the request.
415418
If the used value starts with the prefix `Basic `, or `gid.connector.http.source.lookup.use-raw-authorization-header`
416419
is set to `'true'`, it will be used as header value as is, without any extra modification.
417420

421+
## OIDC Bearer Authentication
422+
The connector supports Bearer Authentication using a HTTP `Authorization` header. The [OAuth 2.0 rcf](https://datatracker.ietf.org/doc/html/rfc6749) mentions [Obtaining Authorization](https://datatracker.ietf.org/doc/html/rfc6749#section-4)
423+
and an authorization grant. OIDC makes use of this [authorisation grant](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3) in a [Token Request](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) by including a [OAuth grant type](https://oauth.net/2/grant-types/) and associated properties, the response is the [token response](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse).
424+
425+
If you want to use this authorization then you should supply the `Token Request` body in `application/x-www-form-urlencoded` encoding
426+
in configuration property `gid.connector.http.security.oidc.token.request`. See [grant extension](https://datatracker.ietf.org/doc/html/rfc6749#section-4.5) for
427+
an example of a customised grant type token request. The supplied `token request` will be issued to the
428+
[token end point](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2), whose url should be supplied in configuration property
429+
`gid.connector.http.security.oidc.token.endpoint.url`. The returned `access token` is then cached and used for subsequent requests; if the token has expired then
430+
a new one is requested. There is a property `gid.connector.http.security.oidc.token.expiry.reduction`, that defaults to 1 second; new tokens will
431+
be requested if the current time is later than the cached token expiry time minus `gid.connector.http.security.oidc.token.expiry.reduction`.
432+
433+
### Restrictions at this time
434+
* No authentication is applied to the token request.
435+
* The processing does not use the refresh token if it present.
436+
418437
## Table API Connector Options
419438
### HTTP TableLookup Source
439+
420440
| Option | Required | Description/Value |
421441
|---------------------------------------------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
422442
| connector | required | The Value should be set to _rest-lookup_ |
@@ -436,19 +456,22 @@ is set to `'true'`, it will be used as header value as is, without any extra mod
436456
| gid.connector.http.security.cert.client | optional | Path to trusted certificate that should be used by connector's HTTP client for mTLS communication. |
437457
| gid.connector.http.security.key.client | optional | Path to trusted private key that should be used by connector's HTTP client for mTLS communication. |
438458
| gid.connector.http.security.cert.server.allowSelfSigned | optional | Accept untrusted certificates for TLS communication. |
459+
| gid.connector.http.security.oidc.token.request | optional | OIDC `Token Request` body in `application/x-www-form-urlencoded` encoding |
460+
| gid.connector.http.security.oidc.token.endpoint.url | optional | OIDC `Token Endpoint` url, to which the token request will be issued |
461+
| gid.connector.http.security.oidc.token.expiry.reduction | optional | OIDC tokens will be requested if the current time is later than the cached token expiry time minus this value. |
439462
| gid.connector.http.source.lookup.request.timeout | optional | Sets HTTP request timeout in seconds. If not specified, the default value of 30 seconds will be used. |
440463
| gid.connector.http.source.lookup.request.thread-pool.size | optional | Sets the size of pool thread for HTTP lookup request processing. Increasing this value would mean that more concurrent requests can be processed in the same time. If not specified, the default value of 8 threads will be used. |
441464
| gid.connector.http.source.lookup.response.thread-pool.size | optional | Sets the size of pool thread for HTTP lookup response processing. Increasing this value would mean that more concurrent requests can be processed in the same time. If not specified, the default value of 4 threads will be used. |
442465
| gid.connector.http.source.lookup.use-raw-authorization-header | optional | If set to `'true'`, uses the raw value set for the `Authorization` header, without transformation for Basic Authentication (base64, addition of "Basic " prefix). If not specified, defaults to `'false'`. |
443466
| gid.connector.http.source.lookup.request-callback | optional | Specify which `HttpLookupPostRequestCallback` implementation to use. By default, it is set to `slf4j-lookup-logger` corresponding to `Slf4jHttpLookupPostRequestCallback`. |
444467

445-
446468
### HTTP Sink
469+
447470
| Option | Required | Description/Value |
448471
|---------------------------------------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
449472
| connector | required | Specify what connector to use. For HTTP Sink it should be set to _'http-sink'_. |
450-
| url | required | The base URL that should be use for HTTP requests. For example _http://localhost:8080/client_. |
451473
| format | required | Specify what format to use. |
474+
| url | required | The base URL that should be use for HTTP requests. For example _http://localhost:8080/client_. |
452475
| insert-method | optional | Specify which HTTP method to use in the request. The value should be set either to `POST` or `PUT`. |
453476
| sink.batch.max-size | optional | Maximum number of elements that may be passed in a batch to be written downstream. |
454477
| sink.requests.max-inflight | optional | The maximum number of in flight requests that may exist, if any more in flight requests need to be initiated once the maximum has been reached, then it will be blocked until some have completed. |

pom.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -297,6 +297,8 @@ under the License.
297297
<artifactId>maven-surefire-plugin</artifactId>
298298
<version>3.0.0-M5</version>
299299
<configuration>
300+
<!-- argLine needed for Flink 1.16 and 1.17 or there are unit test errors-->
301+
<argLine>--add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED</argLine>
300302
</configuration>
301303
</plugin>
302304

src/main/java/com/getindata/connectors/http/HttpSinkBuilder.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@ public class HttpSinkBuilder<InputT> extends
6767
DEFAULT_POST_REQUEST_CALLBACK = new Slf4jHttpPostRequestCallback();
6868

6969
private static final HeaderPreprocessor DEFAULT_HEADER_PREPROCESSOR =
70-
HttpHeaderUtils.createDefaultHeaderPreprocessor();
70+
HttpHeaderUtils.createBasicAuthorizationHeaderPreprocessor();
7171

7272
private final Properties properties = new Properties();
7373

src/main/java/com/getindata/connectors/http/internal/OIDCAuthHeaderValuePreprocessor.java

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
package com.getindata.connectors.http.internal;
2+
3+
import java.net.http.HttpClient;
4+
import java.time.Duration;
5+
import java.util.Optional;
6+
7+
import lombok.extern.slf4j.Slf4j;
8+
9+
import com.getindata.connectors.http.internal.auth.OidcAccessTokenManager;
10+
11+
/**
12+
* Header processor for HTTP OIDC Authentication mechanism.
13+
*/
14+
@Slf4j
15+
public class OIDCAuthHeaderValuePreprocessor implements HeaderValuePreprocessor {
16+
17+
18+
private final String oidcAuthURL;
19+
private final String oidcTokenRequest;
20+
private Duration oidcExpiryReduction = Duration.ofSeconds(1);
21+
/**
22+
* Add the access token to the request using OidcAuth authenticate method that
23+
* gives us a valid access token.
24+
* @param oidcAuthURL OIDC token endpoint
25+
* @param oidcTokenRequest OIDC Token Request
26+
* @param oidcExpiryReduction OIDC token expiry reduction
27+
*/
28+
29+
public OIDCAuthHeaderValuePreprocessor(String oidcAuthURL,
30+
String oidcTokenRequest,
31+
Optional<Duration> oidcExpiryReduction) {
32+
this.oidcAuthURL = oidcAuthURL;
33+
this.oidcTokenRequest = oidcTokenRequest;
34+
if (oidcExpiryReduction.isPresent()) {
35+
this.oidcExpiryReduction = oidcExpiryReduction.get();
36+
}
37+
}
38+
39+
@Override
40+
public String preprocessHeaderValue(String rawValue) {
41+
OidcAccessTokenManager auth = new OidcAccessTokenManager(
42+
HttpClient.newBuilder().build(),
43+
oidcTokenRequest,
44+
oidcAuthURL,
45+
oidcExpiryReduction
46+
);
47+
// apply the OIDC authentication by adding the dynamically calculated header value.
48+
return "BEARER " + auth.authenticate();
49+
}
50+
}

0 commit comments

Comments
 (0)