BrowserIdcAuthPlugin (amazon-redshift-jdbc-driver 2.1.0.30 API)

java.lang.Object
- com.amazon.redshift.plugin.CommonCredentialsProvider
- - com.amazon.redshift.plugin.BrowserIdcAuthPlugin

All Implemented Interfaces:: INativePlugin

public class BrowserIdcAuthPlugin
extends CommonCredentialsProvider

Field Summary

Fields
Modifier and Type	Field and Description
`int`	`CODE_VERIFIER_BYTE_LENGTH` It is used to set the number of bytes of the code verifier
`int`	`CREATE_TOKEN_POLLING_INTERVAL` The default time in seconds for which the client must wait between attempts when polling for a session
`int`	`DEFAULT_IDC_TOKEN_EXPIRY_IN_SEC` It is used if auth server doesn't provide any value access token expiration
`protected static Pattern`	`IAM_HTTP_URL_PATTERN`
`protected static Pattern`	`IAM_URL_PATTERN`
`static String`	`KEY_IDC_REGION` Key for setting IdC region.
`static String`	`KEY_IDC_RESPONSE_TIMEOUT` Key for setting timeout for IDP response.
`static String`	`KEY_ISSUER_URL` Key for setting idp tenant.
`static String`	`KEY_LISTEN_PORT` Key for setting the port number for listening.
`protected static String`	`KEY_SSL_INSECURE`
`protected String`	`m_idc_region` IdC region variable.
`protected String`	`m_issuer_url` Issuer URL variable.
`protected RedshiftLogger`	`m_log`
`protected String`	`m_redirect_uri` Redirect URI variable.
`protected AWSSSOOIDC`	`m_sdk_client` AWSSSOOIDC client object needed to SSOOIDC methods
`protected boolean`	`m_sslInsecure`
`long`	`MILLISECOND_MULTIPLIER` It is used to multiply millisecond values to get seconds
`static String`	`OAUTH_CHALLENGE_METHOD_PARAMETER_NAME` Key for setting code challenge.
`static String`	`OAUTH_CLIENT_ID_PARAMETER_NAME` Key for setting client ID.
`static String`	`OAUTH_CODE_CHALLENGE_PARAMETER_NAME` Key for setting code challenge.
`static String`	`OAUTH_CSRF_STATE_PARAMETER_NAME` Key for setting CSRF endpoint protection state.
`static String`	`OAUTH_GRANT_TYPE_PARAMETER_NAME` Key for setting grant type.
`static String`	`OAUTH_REDIRECT_PARAMETER_NAME` Key for setting redirect URI.
`static String`	`OAUTH_RESPONSE_TYPE_PARAMETER_NAME` Key for setting OAUTH response type.
`static String`	`OAUTH_SCOPE_PARAMETER_NAME` Key for setting scope.

Fields inherited from class com.amazon.redshift.plugin.CommonCredentialsProvider
m_disableCache

Constructor Summary

Constructors
Constructor and Description

BrowserIdcAuthPlugin()

Constructors
Constructor and Description
`BrowserIdcAuthPlugin()`

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`addParameter(String key, String value)` Overridden method to grab the field parameters from JDBC connection string or extended params provided by user.
`protected String`	`fetchAuthorizationCode(String codeChallenge, RegisterClientResult registerClientResult)` Retrieves an IdC vended authorization code from the IdC server through the redirectURI
`protected CreateTokenResult`	`fetchTokenResult(RegisterClientResult registerClientResult, String authCode, String codeVerifier)` Creates and returns an access token for the authorized client within if successful before the timeout
`protected String`	`generateCodeChallenge(String verifier)` Applies a SHA256 hash to the code verifier
`protected String`	`generateCodeVerifier()` Generates a high entropy random codeVerifier string that will be used in the PKCE flow
`protected NativeTokenHolder`	`getAuthToken()` Overridden method to obtain the auth token from plugin specific implementation
`protected CreateTokenResult`	`getCreateTokenResult(String clientId, String clientSecret, String authCode, String grantType, String codeVerifier, String redirectUri)` Creates and returns an access token for the authorized client.
`protected CloseableHttpClient`	`getHttpClient()`
`protected NativeTokenHolder`	`getIdcToken()` Returns the retrieved access token from IdC authorization server
`protected static String`	`getRegexForJsonKey(String keyName)`
`protected RegisterClientResult`	`getRegisterClientResult()` Registers a client with IAM Identity Center.
`protected void`	`openBrowser(String state, String codeChallenge, RegisterClientResult registerClientResult)` Opens the default browser with the authorization code request to IdC /authorize endpoint
`protected NativeTokenHolder`	`processCreateTokenResult(CreateTokenResult createTokenResult)` Takes a created token result as input and returns an object of type NativeTokenHolder that contains the access token and expiration
`protected void`	`validateURL(String paramString)`

Methods inherited from class com.amazon.redshift.plugin.CommonCredentialsProvider
getCacheKey, getCredentials, getIdpToken, getPluginSpecificCacheKey, refresh, setLogger

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - KEY_IDC_RESPONSE_TIMEOUT
```
public static final String KEY_IDC_RESPONSE_TIMEOUT
```
    Key for setting timeout for IDP response.
    
    See Also:
    
    Constant Field Values
  - KEY_LISTEN_PORT
```
public static final String KEY_LISTEN_PORT
```
    Key for setting the port number for listening.
    
    See Also:
    
    Constant Field Values
  - KEY_ISSUER_URL
```
public static final String KEY_ISSUER_URL
```
    Key for setting idp tenant.
    
    See Also:
    
    Constant Field Values
  - KEY_IDC_REGION
```
public static final String KEY_IDC_REGION
```
    Key for setting IdC region.
    
    See Also:
    
    Constant Field Values
  - OAUTH_CSRF_STATE_PARAMETER_NAME
```
public static final String OAUTH_CSRF_STATE_PARAMETER_NAME
```
    Key for setting CSRF endpoint protection state.
    
    See Also:
    
    Constant Field Values
  - OAUTH_REDIRECT_PARAMETER_NAME
```
public static final String OAUTH_REDIRECT_PARAMETER_NAME
```
    Key for setting redirect URI.
    
    See Also:
    
    Constant Field Values
  - OAUTH_CLIENT_ID_PARAMETER_NAME
```
public static final String OAUTH_CLIENT_ID_PARAMETER_NAME
```
    Key for setting client ID.
    
    See Also:
    
    Constant Field Values
  - OAUTH_RESPONSE_TYPE_PARAMETER_NAME
```
public static final String OAUTH_RESPONSE_TYPE_PARAMETER_NAME
```
    Key for setting OAUTH response type.
    
    See Also:
    
    Constant Field Values
  - OAUTH_GRANT_TYPE_PARAMETER_NAME
```
public static final String OAUTH_GRANT_TYPE_PARAMETER_NAME
```
    Key for setting grant type.
    
    See Also:
    
    Constant Field Values
  - OAUTH_SCOPE_PARAMETER_NAME
```
public static final String OAUTH_SCOPE_PARAMETER_NAME
```
    Key for setting scope.
    
    See Also:
    
    Constant Field Values
  - OAUTH_CODE_CHALLENGE_PARAMETER_NAME
```
public static final String OAUTH_CODE_CHALLENGE_PARAMETER_NAME
```
    Key for setting code challenge.
    
    See Also:
    
    Constant Field Values
  - OAUTH_CHALLENGE_METHOD_PARAMETER_NAME
```
public static final String OAUTH_CHALLENGE_METHOD_PARAMETER_NAME
```
    Key for setting code challenge.
    
    See Also:
    
    Constant Field Values
  - CREATE_TOKEN_POLLING_INTERVAL
```
public final int CREATE_TOKEN_POLLING_INTERVAL
```
    The default time in seconds for which the client must wait between attempts when polling for a session
    
    See Also:
    
    Constant Field Values
  - DEFAULT_IDC_TOKEN_EXPIRY_IN_SEC
```
public final int DEFAULT_IDC_TOKEN_EXPIRY_IN_SEC
```
    It is used if auth server doesn't provide any value access token expiration
    
    See Also:
    
    Constant Field Values
  - CODE_VERIFIER_BYTE_LENGTH
```
public final int CODE_VERIFIER_BYTE_LENGTH
```
    It is used to set the number of bytes of the code verifier
    
    See Also:
    
    Constant Field Values
  - MILLISECOND_MULTIPLIER
```
public final long MILLISECOND_MULTIPLIER
```
    It is used to multiply millisecond values to get seconds
    
    See Also:
    
    Constant Field Values
  - m_issuer_url
```
protected String m_issuer_url
```
    Issuer URL variable.
  - m_idc_region
```
protected String m_idc_region
```
    IdC region variable.
  - m_redirect_uri
```
protected String m_redirect_uri
```
    Redirect URI variable.
  - m_sdk_client
```
protected AWSSSOOIDC m_sdk_client
```
    AWSSSOOIDC client object needed to SSOOIDC methods
  - KEY_SSL_INSECURE
```
protected static final String KEY_SSL_INSECURE
```
    See Also:
    
    Constant Field Values
  - m_sslInsecure
```
protected boolean m_sslInsecure
```
  - IAM_URL_PATTERN
```
protected static final Pattern IAM_URL_PATTERN
```
  - IAM_HTTP_URL_PATTERN
```
protected static final Pattern IAM_HTTP_URL_PATTERN
```
  - m_log
```
protected RedshiftLogger m_log
```
- Constructor Detail
  - BrowserIdcAuthPlugin
```
public BrowserIdcAuthPlugin()
```
- Method Detail
  - getAuthToken
```
protected NativeTokenHolder getAuthToken()
                                  throws IOException
```
    Overridden method to obtain the auth token from plugin specific implementation
    
    Specified by:
    
    getAuthToken in class CommonCredentialsProvider
    
    Returns:
    
    NativeTokenHolder A wrapper containing auth token and its expiration time information
    
    Throws:
    
    IOException - indicating the error
  - getIdcToken
```
protected NativeTokenHolder getIdcToken()
                                 throws IOException
```
    Returns the retrieved access token from IdC authorization server
    
    Returns:
    
    NativeTokenHolder This contains the retrieved access token and the expiration time of that token
    
    Throws:
    
    IOException - if an error occurs during the involved API call
  - addParameter
```
public void addParameter(String key,
                         String value)
```
    Overridden method to grab the field parameters from JDBC connection string or extended params provided by user. This method calls the base class' addParameter method and adds to it new specific parameters.
    
    Specified by:
    
    addParameter in interface INativePlugin
    
    Overrides:
    
    addParameter in class CommonCredentialsProvider
    
    Parameters:
    
    key - parameter key passed to JDBC driver
    
    value - parameter value associated with the given key
  - getRegisterClientResult
```
protected RegisterClientResult getRegisterClientResult()
                                                throws IOException
```
    Registers a client with IAM Identity Center. This allows clients to initiate authorization code + PKCE flow. The output is persisted for reuse through many authentication requests.
    
    Returns:
    
    RegisterClientResult Client registration result containing clientId and clientSecret required for authorization code + PKCE flow
    
    Throws:
    
    IOException - if an error occurs during the involved API call
  - generateCodeVerifier
```
protected String generateCodeVerifier()
```
    Generates a high entropy random codeVerifier string that will be used in the PKCE flow
    
    Returns:
    
    codeVerifier: randomly generated base64 encoded 60 byte string
  - generateCodeChallenge
```
protected String generateCodeChallenge(String verifier)
```
    Applies a SHA256 hash to the code verifier
    
    Parameters:
    
    verifier - Randomly generated base64 encoded string
    
    Returns:
    
    codeChallenge: string generated from applying a SHA256 hash to the code verifier
  - fetchAuthorizationCode
```
protected String fetchAuthorizationCode(String codeChallenge,
                                        RegisterClientResult registerClientResult)
                                 throws IOException,
                                        URISyntaxException
```
    Retrieves an IdC vended authorization code from the IdC server through the redirectURI
    
    Parameters:
    
    codeChallenge - String generated from applying a SHA256 hash to the code verifier
    
    registerClientResult - Contains the clientId and clientSecret
    
    Returns:
    
    String authCode: Authorization code returned from the IdC authorization server used to get the access token
    
    Throws:
    
    IOException - If an I/O error occurs while communicating with the IdC server or processing the response
    
    URISyntaxException - If the redirect URI or any other URI involved in the authorization process is malformed or violates URI syntax rules
  - fetchTokenResult
```
protected CreateTokenResult fetchTokenResult(RegisterClientResult registerClientResult,
                                             String authCode,
                                             String codeVerifier)
                                      throws IOException
```
    Creates and returns an access token for the authorized client within if successful before the timeout
    
    Parameters:
    
    registerClientResult - Contains the clientId and clientSecret
    
    authCode - Authorization code returned from the IdC authorization server used to get the access token
    
    codeVerifier - Randomly generated base64 encoded 60 byte string
    
    Returns:
    
    CreateTokenResult Create token result containing IdC token
    
    Throws:
    
    IOException - If an I/O error occurs while communicating with the IdC server or processing the response
  - getCreateTokenResult
```
protected CreateTokenResult getCreateTokenResult(String clientId,
                                                 String clientSecret,
                                                 String authCode,
                                                 String grantType,
                                                 String codeVerifier,
                                                 String redirectUri)
```
    Creates and returns an access token for the authorized client. The access token issued will be used by the Redshift server to authorize the user.
    
    Parameters:
    
    clientId - The unique identifier string for each client
    
    clientSecret - A secret string generated for the client
    
    authCode - Authorization code used to get the access token
    
    grantType - Supports grant types for the authorization code request
    
    codeVerifier - Used for PKCE flow
    
    redirectUri - Used to verify that the redirectUri is the same
    
    Returns:
    
    CreateTokenResult Create token result containing IdC token
  - processCreateTokenResult
```
protected NativeTokenHolder processCreateTokenResult(CreateTokenResult createTokenResult)
                                              throws IOException
```
    Takes a created token result as input and returns an object of type NativeTokenHolder that contains the access token and expiration
    
    Parameters:
    
    createTokenResult - Contains the access token, refresh token, and accces token expiry
    
    Returns:
    
    NativeTokenHolder This contains the retrieved access token and the expiration time of that token
    
    Throws:
    
    IOException - If an I/O error occurs while communicating with the IdC server or processing the response
  - openBrowser
```
protected void openBrowser(String state,
                           String codeChallenge,
                           RegisterClientResult registerClientResult)
                    throws URISyntaxException,
                           IOException
```
    Opens the default browser with the authorization code request to IdC /authorize endpoint
    
    Parameters:
    
    state - A randomly generated string to protect against cross-site request forgery attacks
    
    codeChallenge - String generated from applying a SHA256 hash to the code verifier
    
    registerClientResult - Contains the clientId and clientSecret
    
    Throws:
    
    IOException - If an error occurs while opening the default browser or establishing a connection to the IdC /authorize endpoint
    
    URISyntaxException - If the URI used for the authorization code request is malformed or violates URI syntax rules
  - getHttpClient
```
protected CloseableHttpClient getHttpClient()
                                     throws GeneralSecurityException
```
    Throws:
    
    GeneralSecurityException
  - validateURL
```
protected void validateURL(String paramString)
                    throws IOException
```
    Throws:
    
    IOException
  - getRegexForJsonKey
```
protected static String getRegexForJsonKey(String keyName)
```

Class BrowserIdcAuthPlugin

Field Summary

Fields inherited from class com.amazon.redshift.plugin.CommonCredentialsProvider

Constructor Summary

Method Summary

Methods inherited from class com.amazon.redshift.plugin.CommonCredentialsProvider

Methods inherited from class java.lang.Object

Field Detail

KEY_IDC_RESPONSE_TIMEOUT

KEY_LISTEN_PORT

KEY_ISSUER_URL

KEY_IDC_REGION

OAUTH_CSRF_STATE_PARAMETER_NAME

OAUTH_REDIRECT_PARAMETER_NAME

OAUTH_CLIENT_ID_PARAMETER_NAME

OAUTH_RESPONSE_TYPE_PARAMETER_NAME

OAUTH_GRANT_TYPE_PARAMETER_NAME

OAUTH_SCOPE_PARAMETER_NAME

OAUTH_CODE_CHALLENGE_PARAMETER_NAME

OAUTH_CHALLENGE_METHOD_PARAMETER_NAME

CREATE_TOKEN_POLLING_INTERVAL

DEFAULT_IDC_TOKEN_EXPIRY_IN_SEC

CODE_VERIFIER_BYTE_LENGTH

MILLISECOND_MULTIPLIER

m_issuer_url

m_idc_region

m_redirect_uri

m_sdk_client

KEY_SSL_INSECURE

m_sslInsecure

IAM_URL_PATTERN

IAM_HTTP_URL_PATTERN

m_log

Constructor Detail

BrowserIdcAuthPlugin

Method Detail

getAuthToken

getIdcToken

addParameter

getRegisterClientResult

generateCodeVerifier

generateCodeChallenge

fetchAuthorizationCode

fetchTokenResult

getCreateTokenResult

processCreateTokenResult

openBrowser

getHttpClient

validateURL

getRegexForJsonKey