CDK: SingleUseRefreshTokenOauth2Authenticator update config with access tokens and expiration date
#20923
Conversation
alafanechere
changed the title
SingleUseRefreshTokenOauth2Authenticator update config with access tokensSingleUseRefreshTokenOauth2Authenticator update config with access tokens and expiration date
There was a problem hiding this comment.
Nice- main thing I think should be addressed is making sure that the initial access token is loaded from the config.
Should we always expect the expiration date to be part of the config or should we allow connectors to decide to use an an endpoint to retrieve the expiration date of the token?
Also, did you check the APIs for whether they had these kinds of endpoints like you mentioned? If so, I'm curious what the results of that investigation were.
| self._access_token_config_path = access_token_config_path | ||
| self._refresh_token_config_path = refresh_token_config_path | ||
| self._access_token_expiration_datetime_config_path = access_token_expiration_datetime_config_path |
There was a problem hiding this comment.
We should also set the initial access_token from the config as part of the initialization - otherwise I believe we wouldn't have an access token and require it to refresh, right?
GitLab was doing this manually:
There was a problem hiding this comment.
I made the change and added a test to ensure access_token attribute is set on init.
| # TODO alafanechere this will sequentially emit three control messages. | ||
| # We should rework the observer/config mutation logic if we want to have atomic config updates in a single control message. | ||
| dpath.util.set(self._connector_config, self._access_token_config_path, new_access_token) | ||
| dpath.util.set(self._connector_config, self._refresh_token_config_path, new_refresh_token) | ||
| dpath.util.set(self._connector_config, self._access_token_expiration_datetime_config_path, new_access_token_expiration_datetime) |
There was a problem hiding this comment.
note: this means as currently implemented during the sync the platform will perform 3 separate config updates (api calls) for each of these pieces
There was a problem hiding this comment.
I discarded the use of ObservedDict and directly call a function from this method to emit the control message.
…q/airbyte into augustin/cdk/oauth/lazy-refresh
Yes, we should expect the expiration date to be part of the config if the
I did but did not find these endpoints for Quickbook, TypeForm, Jira and Pipedrive |
|
This is good work! Do you happen to know how common it is for oAuth endpoints to return an |
I'm pretty sure returning an ✅ Quickbook |
|
/publish-cdk dry-run=true
|
|
/publish-cdk dry-run=false
|
What
Closes #20914
Before this PR the
SingleUseRefreshTokenOauth2Authenticatoreagerly performed access token refresh:check,discover,read) a new OAuth flow is started even if the previous access token is still valid.As synchronous operation, like
checkon source creation, can't process control message, we can end up with invalid refresh token as the latest one are not persisted to the DB. (more details in https://github.com/airbytehq/airbyte-internal-issues/issues/1260)To mitigate this problem we try to store the expiration date of the access token in the config and only perform refresh when the expiration date is met.
How
access_token_expiration_datetimefrom connector configurationaccess_token_valueaccess_token_expiration_datetimeRecommended reading order
airbyte/airbyte-cdk/python/airbyte_cdk/sources/streams/http/requests_native_auth/oauth.py
Line 93 in 833d978
airbyte/airbyte-cdk/python/unit_tests/sources/streams/http/requests_native_auth/test_requests_native_auth.py
Line 183 in 833d978
🚨 User Impact 🚨
The connector using
SingleUseRefreshTokenOauth2Authenticatorshould be reworked:#7506