Move token (a) caching and (b) refresh token layer from `req_oauth_*()` to `oauth_flow*()`

[fh-mthomson]

Goal: use oauth_flow_auth_code() as a single function through which I can:

1. Generate: Create a token
2. Cache: Initialize/leverage a cache using ^ token (via cache_choose() et al)
3. Refresh: If a given token (new or cached) is expired, use the refresh token to generate a new token (rather than oauth_flow_refresh(), as discussed at length in Rotating refresh tokens #186)

Currently, only (1) is supported by oauth_flow_auth_code() whereas (2) & (3) are automated via auth_outh_sign() but only as an indirect side effect of calling req_oauth_auth_code().

Proposal: move the auth_outh_sign() logic to the token-generation layer, instead of (or in addition to) the request layer, since, e.g., req_oauth_auth_code() calls oauth_flow_auth_code() anyway.

[hadley]

Can you give a bit more context about why you want this? i.e. how does the current auth caching flow fail for you?

It's not really possible to move the caching code into oauth_flow_auth_code() because req_perform() handles the cache updating logic (via auth_oauth_sign()) when the token requires a refresh.

[fh-mthomson]

At a high-level, we're only looking to httr2 as a means to fetch a token, and not execute a request.

Specifically, trying to:

1. Use oauth_flow_auth_code() to return a token from an SSO provider (Okta, docs)
2. Pass the token through to another service (Snowflake, docs)

Currently, oauth_flow_auth_code() will fetch a new token each time (bypassing the cache / refresh token automation in auth_oauth_sign()).

Ideally, the token would be:

1. Pulled from cache, if available
2. Refreshed, if cached token is expired
3. Otherwise, fetch a fresh token

Current approach (redacted):

get_oauth_token <- function(use_cached_token = TRUE) {
  if (use_cached_token) {
    cache <- httr2:::cache_disk(
      client = get_oauth_client(),
      key = NULL
    )
    
    cached <- cache$get()
    
    if (!is.null(cached)) {
      if (httr2:::token_has_expired(token = cached)) {
        cached <- NULL
      } else {
        token <- cached
      }
    }
  }
  
  # new token, if not relying on cache
  if (!use_cached_token || is.null(cached)) {
    token <- get_oauth_token_new()
  }
  
  token
}

get_oauth_token_new <- function() {
  OAUTH_AUTHORIZE_ENDPOINT <- "https://<X>.okta.com/oauth2/<X>/v1/authorize"
  REDIRECT_URI <- "https://<X>"
  SCOPE <- "session:role-any"
  client <- get_oauth_client()
  
  cache <- httr2:::cache_disk(client = client, key = NULL)
  token <- cache$get()
  
  if (!is.null(token$refresh_token)) {
    token <- httr2:::token_refresh(
      client = client,
      refresh_token = token$refresh_token,
      scope = SCOPE
    )
  } else {
    token <- httr2::oauth_flow_auth_code(
      client = client,
      auth_url = OAUTH_AUTHORIZE_ENDPOINT,
      scope = SCOPE,
      redirect_uri = REDIRECT_URI
    )
  }
  
  cache$set(token = token)
  
  token
}

get_oauth_client <- function() {
  OAUTH_CLIENT_ID <- "<X>"
  OAUTH_TOKEN_ENDPOINT <- "https://<X>.okta.com/oauth2/<X>/v1/token"
  
  client <- httr2::oauth_client(
    id = OAUTH_CLIENT_ID,
    token_url = OAUTH_TOKEN_ENDPOINT,
    name = "oauth_client"
  )
  
  client
}

[hadley]

Are you sure you can't do this already by using req_oauth_whatever() with the the okta client but applied to the snowflake request?

[fh-mthomson]

Yeah, we're not actually trying to make Snowflake requests, but just get the Snowflake token from the Okta client. The token from Okta is passed through to initialize a Snowflake ODBC connection, via:

conn <- DBI::dbConnect(
  odbc::odbc(),
  .connection_string = snowflake_connection_string
)

Where snowflake_connection_string contains AUTHENTICATOR=OAUTH;TOKEN=<X>. Then, conn is used for all tbl() workflows using dbplyr translations.

[hadley]

Ah got it. I'll have to think about this use case more.

[hadley]

With okta, I assume that when you refresh the token, you get a new refresh token and a new access token?

Is the branching really on is.null(token$refresh_token) or is it more is.null(token)? (i.e. the token wasn't cached yet not that you got a token that can't be refreshed)

It seems like what you need is a public version of this:

httr2/R/oauth.R

Lines 40 to 54 in 87e040d

	token <- cache$get()
	if (reauth || is.null(token)) {
	token <- exec(flow, !!!flow_params)
	} else {
	if (token_has_expired(token)) {
	cache$clear()
	if (is.null(token$refresh_token)) {
	token <- exec(flow, !!!flow_params)
	} else {
	token <- token_refresh(flow_params$client, token$refresh_token)
	}
	}
	}
	cache$set(token)
	req_auth_bearer_token(req, token$access_token)

I think I could probably give you something like that fairly easily — it'll be a bit awkward (i.e. designed to be wrapped in another function) but at this point I'd prefer to not to commit adding another family of functions like oauth_token_auth_code(). (And I don't want to add caching to oauth_flow_auth_code() and friends, because there will still need to be a simple function that just implements each flow)

[fh-mthomson]

With okta, I assume that when you refresh the token, you get a new refresh token and a new access token?

Correct, each of the following return distinct values for access_token, expires_at, and refresh_token:

• httr2::oauth_flow_auth_code()
• httr2:::token_refresh()

Is the branching really on is.null(token$refresh_token) or is it more is.null(token)? (i.e. the token wasn't cached yet not that you got a token that can't be refreshed)

Is refresh_token always returned for all clients? Or, is it possible that some clients may only return access_token? I'm leaning towards the current implementation in httr2: branching on token$refresh_token since that's the object that's immediately required in token_refresh().

It seems like what you need is a public version of this:

100%. thanks for the PR!

[jennybc]

If I am off-base, just ignore me, but this discussion gave me a vague memory of recording some related facts around what Google does:

#168 (comment)