xborder opened a new pull request, #2651: URL: https://github.com/apache/arrow-adbc/pull/2651
## Description This pull request introduces OAuth support to the Flight client in the GO driver. The changes include the addition of OAuth access token support, implementation of token exchange and client credentials OAuth flows. ## Related Issues - Closes #[2650](https://github.com/apache/arrow-adbc/issues/2650) ## Changes Made 1. Added `token` as a database option 1. Added support for [Token Exchange](https://datatracker.ietf.org/doc/html/rfc8693). If configured, `token` gets exchanged and the result is added to the `Authorization` header as a `Bearer` token 1. Added support for [Client Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4). If configured, `client_id` and `client_secret` are used to obtain a access token that is added to the `Authorization` header as a `Bearer` token 1. Added new driver options to allow third-party applications to configure oauth flows: 1. Added tests | Option | Description | |--------|-------------| | `adbc.flight.sql.oauth.flow` | Specifies the OAuth 2.0 flow type to use. Values:<ul><li>Authorization Code + PKCE: `1`</li><li>Client Credentials: `2`</li><li>Token Exchange: `4`</li></ul>| | `adbc.flight.sql.oauth.auth_uri` | The authorization endpoint URI used for authorization code flows | | `adbc.flight.sql.oauth.token_uri` | The token endpoint URI where the application exchanges authorization grants for access tokens | | `adbc.flight.sql.oauth.redirect_uri` | The redirect URI where the authorization server redirects the user-agent after authorization is granted. Used in authorization code flows. | | `adbc.flight.sql.oauth.scope` | Space-separated list of scopes the application is requesting access to. Defines the permissions requested for the access token. | | `adbc.flight.sql.oauth.client_id` | The client identifier issued to the client during the registration process. Required for Client Credentials flow. | | `adbc.flight.sql.oauth.client_secret` | The client secret issued alongside the client ID. Should be kept confidential. Required for Client Credentials flow. | | `adbc.flight.sql.oauth.exchange.subject_token_type` | Type of the subject token being exchanged. Common value is `urn:ietf:params:oauth:token-type:jwt` for JWT tokens. Required for Token Exchange flow. | | `adbc.flight.sql.oauth.exchange.actor_token` | An optional token representing the identity of the party on behalf of which the request is being made. Used for delegation and impersonation scenarios. | | `adbc.flight.sql.oauth.exchange.actor_token_type` | The type of the actor token. Only required if `actor_token` is provided. | | `adbc.flight.sql.oauth.exchange.requested_token_type` | The type of token the client wants to receive. Default is usually an access token if not specified. | | `adbc.flight.sql.oauth.exchange.scope` | Space-separated list of scopes requested for the exchanged token. Can differ from the subject token's scopes. | | `adbc.flight.sql.oauth.exchange.aud` | The intended audience for the requested token. Helps ensure token is only usable with specific services. | | `adbc.flight.sql.oauth.exchange.resource` | The resource indicator for the requested token, identifying where/for what the token can be used. | -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
