-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CDK: SingleUseRefreshTokenOauth2Authenticator
update config with access tokens and expiration date
#20923
Conversation
SingleUseRefreshTokenOauth2Authenticator
update config with access tokensSingleUseRefreshTokenOauth2Authenticator
update config with access tokens and expiration date
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice- main thing I think should be addressed is making sure that the initial access token is loaded from the config.
Should we always expect the expiration date to be part of the config or should we allow connectors to decide to use an an endpoint to retrieve the expiration date of the token?
Also, did you check the APIs for whether they had these kinds of endpoints like you mentioned? If so, I'm curious what the results of that investigation were.
self._access_token_config_path = access_token_config_path | ||
self._refresh_token_config_path = refresh_token_config_path | ||
self._access_token_expiration_datetime_config_path = access_token_expiration_datetime_config_path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also set the initial access_token from the config as part of the initialization - otherwise I believe we wouldn't have an access token and require it to refresh, right?
GitLab was doing this manually:
airbyte/airbyte-integrations/connectors/source-gitlab/source_gitlab/source.py
Lines 57 to 59 in 5000dfb
now = pendulum.now() | |
self.access_token = access_token | |
self.set_token_expiry_date(now.add(seconds=access_token_info["expires_in"])) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made the change and added a test to ensure access_token
attribute is set on init.
# TODO alafanechere this will sequentially emit three control messages. | ||
# We should rework the observer/config mutation logic if we want to have atomic config updates in a single control message. | ||
dpath.util.set(self._connector_config, self._access_token_config_path, new_access_token) | ||
dpath.util.set(self._connector_config, self._refresh_token_config_path, new_refresh_token) | ||
dpath.util.set(self._connector_config, self._access_token_expiration_datetime_config_path, new_access_token_expiration_datetime) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: this means as currently implemented during the sync the platform will perform 3 separate config updates (api calls) for each of these pieces
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I discarded the use of ObservedDict
and directly call a function from this method to emit the control message.
…q/airbyte into augustin/cdk/oauth/lazy-refresh
Yes, we should expect the expiration date to be part of the config if the
I did but did not find these endpoints for Quickbook, TypeForm, Jira and Pipedrive |
This is good work! Do you happen to know how common it is for oAuth endpoints to return an |
I'm pretty sure returning an ✅ Quickbook |
/publish-cdk dry-run=false
|
What
Closes #20914
Before this PR the
SingleUseRefreshTokenOauth2Authenticator
eagerly performed access token refresh:check
,discover
,read
) a new OAuth flow is started even if the previous access token is still valid.As synchronous operation, like
check
on source creation, can't process control message, we can end up with invalid refresh token as the latest one are not persisted to the DB. (more details in https://github.com/airbytehq/airbyte-internal-issues/issues/1260)To mitigate this problem we try to store the expiration date of the access token in the config and only perform refresh when the expiration date is met.
How
access_token_expiration_datetime
from connector configurationaccess_token_value
access_token_expiration_datetime
Recommended reading order
airbyte/airbyte-cdk/python/airbyte_cdk/sources/streams/http/requests_native_auth/oauth.py
Line 93 in 833d978
airbyte/airbyte-cdk/python/unit_tests/sources/streams/http/requests_native_auth/test_requests_native_auth.py
Line 183 in 833d978
🚨 User Impact 🚨
The connector using
SingleUseRefreshTokenOauth2Authenticator
should be reworked:#7506