Update DefaultOAuth2ApiService to support multiple token types and client secret without id (#952)

* Update DefaultOAuth2ApiService to support multiple token types and client secret without id

* Address PR comments

* Update TokenBroker interface to accept requestedTokenType

* Add check for requested token type

Author: collado-mike

quarkus/service/src/test/java/org/apache/polaris/service/quarkus/auth/JWTRSAKeyPairTest.java

@@ -41,6 +41,7 @@
 import org.apache.polaris.service.auth.TokenBroker;
 import org.apache.polaris.service.auth.TokenRequestValidator;
 import org.apache.polaris.service.auth.TokenResponse;
+import org.apache.polaris.service.types.TokenType;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
 
@@ -76,7 +77,11 @@ public void testSuccessfulTokenGeneration() throws Exception {
         new JWTRSAKeyPair(metastoreManager, session, 420, publicFileLocation, privateFileLocation);
     TokenResponse token =
         tokenBroker.generateFromClientSecrets(
-            clientId, mainSecret, TokenRequestValidator.CLIENT_CREDENTIALS, scope);
+            clientId,
+            mainSecret,
+            TokenRequestValidator.CLIENT_CREDENTIALS,
+            scope,
+            TokenType.ACCESS_TOKEN);
     assertThat(token).isNotNull();
     assertThat(token.getExpiresIn()).isEqualTo(420);
 

quarkus/service/src/test/java/org/apache/polaris/service/quarkus/auth/JWTSymmetricKeyGeneratorTest.java

@@ -34,6 +34,7 @@
 import org.apache.polaris.service.auth.TokenBroker;
 import org.apache.polaris.service.auth.TokenRequestValidator;
 import org.apache.polaris.service.auth.TokenResponse;
+import org.apache.polaris.service.types.TokenType;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
 
@@ -64,7 +65,11 @@ public void testJWTSymmetricKeyGenerator() {
         new JWTSymmetricKeyBroker(metastoreManager, metaStoreSession, 666, () -> "polaris");
     TokenResponse token =
         generator.generateFromClientSecrets(
-            clientId, mainSecret, TokenRequestValidator.CLIENT_CREDENTIALS, "PRINCIPAL_ROLE:TEST");
+            clientId,
+            mainSecret,
+            TokenRequestValidator.CLIENT_CREDENTIALS,
+            "PRINCIPAL_ROLE:TEST",
+            TokenType.ACCESS_TOKEN);
     assertThat(token).isNotNull();
 
     JWTVerifier verifier = JWT.require(Algorithm.HMAC256("polaris")).withIssuer("polaris").build();

service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java

@@ -43,7 +43,6 @@ public class DefaultOAuth2ApiService implements IcebergRestOAuth2ApiService {
 
   private static final Logger LOGGER = LoggerFactory.getLogger(DefaultOAuth2ApiService.class);
 
-  private static final String CLIENT_CREDENTIALS = "client_credentials";
   private static final String BEARER = "bearer";
 
   private final TokenBrokerFactory tokenBrokerFactory;
@@ -75,43 +74,39 @@ public Response getToken(
     if (!tokenBroker.supportsRequestedTokenType(requestedTokenType)) {
       return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
     }
-    if (authHeader == null && clientId == null) {
+    if (authHeader == null && clientSecret == null) {
       return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
     }
-    if (authHeader != null && clientId == null && authHeader.startsWith("Basic ")) {
+    // token exchange with client id and client secret in the authorization header means the client
+    // has previously attempted to refresh an access token, but refreshing was not supported by the
+    // token broker. Accept the client id and secret and treat it as a new token request
+    if (authHeader != null && clientSecret == null && authHeader.startsWith("Basic ")) {
       String credentials = new String(Base64.decodeBase64(authHeader.substring(6)), UTF_8);
       if (!credentials.contains(":")) {
-        return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
+        return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
       }
       LOGGER.debug("Found credentials in auth header - treating as client_credentials");
       String[] parts = credentials.split(":", 2);
-      clientId = parts[0];
-      clientSecret = parts[1];
+      if (parts.length == 2) {
+        clientId = parts[0];
+        clientSecret = parts[1];
+      } else {
+        LOGGER.debug("Don't know how to parse Basic auth header");
+        return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
+      }
+    }
+    TokenResponse tokenResponse;
+    if (clientSecret != null) {
+      tokenResponse =
+          tokenBroker.generateFromClientSecrets(
+              clientId, clientSecret, grantType, scope, requestedTokenType);
+    } else if (subjectToken != null) {
+      tokenResponse =
+          tokenBroker.generateFromToken(
+              subjectTokenType, subjectToken, grantType, scope, requestedTokenType);
+    } else {
+      return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
     }
-    TokenResponse tokenResponse =
-        switch (subjectTokenType) {
-          case TokenType.ID_TOKEN,
-                  TokenType.REFRESH_TOKEN,
-                  TokenType.JWT,
-                  TokenType.SAML1,
-                  TokenType.SAML2 ->
-              new TokenResponse(OAuthTokenErrorResponse.Error.invalid_request);
-          case TokenType.ACCESS_TOKEN -> {
-            // token exchange with client id and client secret means the client has previously
-            // attempted to refresh
-            // an access token, but refreshing was not supported by the token broker. Accept the
-            // client id and
-            // secret and treat it as a new token request
-            if (clientId != null && clientSecret != null) {
-              yield tokenBroker.generateFromClientSecrets(
-                  clientId, clientSecret, CLIENT_CREDENTIALS, scope);
-            } else {
-              yield tokenBroker.generateFromToken(subjectTokenType, subjectToken, grantType, scope);
-            }
-          }
-          case null ->
-              tokenBroker.generateFromClientSecrets(clientId, clientSecret, grantType, scope);
-        };
     if (tokenResponse == null) {
       return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.unsupported_grant_type);
     }

service/common/src/main/java/org/apache/polaris/service/auth/JWTBroker.java

@@ -98,8 +98,15 @@ public String getScope() {
 
   @Override
   public TokenResponse generateFromToken(
-      TokenType tokenType, String subjectToken, String grantType, String scope) {
-    if (!TokenType.ACCESS_TOKEN.equals(tokenType)) {
+      TokenType subjectTokenType,
+      String subjectToken,
+      String grantType,
+      String scope,
+      TokenType requestedTokenType) {
+    if (!TokenType.ACCESS_TOKEN.equals(requestedTokenType)) {
+      return new TokenResponse(OAuthTokenErrorResponse.Error.invalid_request);
+    }
+    if (!TokenType.ACCESS_TOKEN.equals(subjectTokenType)) {
       return new TokenResponse(OAuthTokenErrorResponse.Error.invalid_request);
     }
     if (StringUtils.isBlank(subjectToken)) {
@@ -121,7 +128,11 @@ public TokenResponse generateFromToken(
 
   @Override
   public TokenResponse generateFromClientSecrets(
-      String clientId, String clientSecret, String grantType, String scope) {
+      String clientId,
+      String clientSecret,
+      String grantType,
+      String scope,
+      TokenType requestedTokenType) {
     // Initial sanity checks
     TokenRequestValidator validator = new TokenRequestValidator();
     Optional<OAuthTokenErrorResponse.Error> initialValidationResponse =

service/common/src/main/java/org/apache/polaris/service/auth/NoneTokenBrokerFactory.java

@@ -42,13 +42,21 @@ public boolean supportsRequestedTokenType(TokenType tokenType) {
 
         @Override
         public TokenResponse generateFromClientSecrets(
-            String clientId, String clientSecret, String grantType, String scope) {
+            String clientId,
+            String clientSecret,
+            String grantType,
+            String scope,
+            TokenType requestedTokenType) {
           return null;
         }
 
         @Override
         public TokenResponse generateFromToken(
-            TokenType tokenType, String subjectToken, String grantType, String scope) {
+            TokenType subjectTokenType,
+            String subjectToken,
+            String grantType,
+            String scope,
+            TokenType requestedTokenType) {
           return null;
         }
 

service/common/src/main/java/org/apache/polaris/service/auth/TokenBroker.java

@@ -34,11 +34,77 @@ public interface TokenBroker {
 
   boolean supportsRequestedTokenType(TokenType tokenType);
 
+  /**
+   * Generate a token from client secrets without specifying the requested token type
+   *
+   * @param clientId
+   * @param clientSecret
+   * @param grantType
+   * @param scope
+   * @return the response indicating an error or the requested token
+   * @deprecated - use the method with the requested token type
+   */
+  @Deprecated
+  default TokenResponse generateFromClientSecrets(
+      final String clientId,
+      final String clientSecret,
+      final String grantType,
+      final String scope) {
+    return generateFromClientSecrets(
+        clientId, clientSecret, grantType, scope, TokenType.ACCESS_TOKEN);
+  }
+
+  /**
+   * Generate a token from client secrets
+   *
+   * @param clientId
+   * @param clientSecret
+   * @param grantType
+   * @param scope
+   * @param requestedTokenType
+   * @return the response indicating an error or the requested token
+   */
   TokenResponse generateFromClientSecrets(
-      final String clientId, final String clientSecret, final String grantType, final String scope);
+      final String clientId,
+      final String clientSecret,
+      final String grantType,
+      final String scope,
+      TokenType requestedTokenType);
+
+  /**
+   * Generate a token from an existing token of a specified type without specifying the requested
+   * token type
+   *
+   * @param subjectTokenType
+   * @param subjectToken
+   * @param grantType
+   * @param scope
+   * @return the response indicating an error or the requested token
+   * @deprecated - use the method with the requested token type
+   */
+  @Deprecated
+  default TokenResponse generateFromToken(
+      TokenType subjectTokenType, String subjectToken, final String grantType, final String scope) {
+    return generateFromToken(
+        subjectTokenType, subjectToken, grantType, scope, TokenType.ACCESS_TOKEN);
+  }
 
+  /**
+   * Generate a token from an existing token of a specified type
+   *
+   * @param subjectTokenType
+   * @param subjectToken
+   * @param grantType
+   * @param scope
+   * @param requestedTokenType
+   * @return the response indicating an error or the requested token
+   */
   TokenResponse generateFromToken(
-      TokenType tokenType, String subjectToken, final String grantType, final String scope);
+      TokenType subjectTokenType,
+      String subjectToken,
+      final String grantType,
+      final String scope,
+      TokenType requestedTokenType);
 
   DecodedToken verify(String token);