Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support custom cache for OAuth2 tokens #225

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Support custom cache for OAuth2 tokens #225

wants to merge 1 commit into from

Conversation

mdesmet
Copy link
Contributor

@mdesmet mdesmet commented Aug 18, 2022

Fixes #223

@cla-bot cla-bot bot added the cla-signed label Aug 18, 2022
@mdesmet mdesmet requested a review from hovaesco August 18, 2022 10:57
hovaesco
hovaesco reviewed Aug 19, 2022
View reviewed changes
trino/auth.py Outdated
Comment on lines 294 to 298
if custom_cache is not None:
return custom_cache
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe is worth to add some validation and error handling for custom_cache?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added an isinstance check. I don't think there is anything more we can do. We might rethrow the exception as one of the dbapi exception types. WDYT?

README.md Outdated
@@ -198,6 +198,8 @@ A callback to handle the redirect url can be provided via param `redirect_auth_u

The OAuth2 token will be cached either per `trino.auth.OAuth2Authentication` instance or, when keyring is installed, it will be cached within a secure backend (MacOS keychain, Windows credential locker, etc) under a key including host of the Trino connection. Keyring can be installed using `pip install 'trino[external-authentication-token-cache]'`.

A custom caching implementation can be provided by creating a class implementing the `trino.auth.OAuth2TokenCache` abstract class and adding it as in `OAuth2Authentication(cache=my_custom_cache_impl)`. The custom caching implementation enables usage in multi-user environments (notebooks, web applications) in combination with a custom `redirect_auth_url_handler` as explained above.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's explain further what can be passed as my_custom_cache_impl or give some code snippets here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@mdesmet mdesmet force-pushed the feature/custom-cache branch 2 times, most recently from c04d408 to 709d718 Compare August 19, 2022 11:12
@mdesmet mdesmet requested review from hashhar and ebyhr August 19, 2022 11:28
@hashhar
Copy link
Member

hashhar commented Aug 19, 2022

I'd prefer if we made the defaults more useful instead of adding hooks for custom behaviour and leaving users to implement them themselves.

It seems default should be to cache based on identity (which is what Trino itself seems to do).

@mdesmet
Copy link
Contributor Author

mdesmet commented Aug 19, 2022

I'd prefer if we made the defaults more useful instead of adding hooks for custom behaviour and leaving users to implement them themselves.

That won't work in a distributed web application. You would need to store and retrieve the tokens in a distributed cache (eg redis) as every request may be handled by different nodes.

It seems default should be to cache based on identity (which is what Trino itself seems to do).

This is not entirely true. The user is not required in the connect(args) for OAuth connections. Without the user we would only be able to retrieve the identity by running a SELECT CURRENT_USER() query.

@ebyhr ebyhr removed their request for review February 10, 2023 03:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hovaesco hovaesco hovaesco left review comments

@hashhar hashhar Awaiting requested review from hashhar

Assignees
No one assigned
Labels
cla-signed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Custom cache for oauth2 tokens
3 participants
@mdesmet @hashhar @hovaesco