Skip to content

Remove Username assertion for web browser auth #2142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Remove Username assertion for web browser auth #2142

wants to merge 1 commit into from

Conversation

karunmotorq
Copy link

@karunmotorq karunmotorq commented Jan 23, 2025
edited
Loading

Please answer these questions before submitting your pull requests. Thanks!

  1. What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

    Fixes SNOW-1892848: Web Browser Auth doesnt need user to be passed but asserts it #2143

  2. Fill out the following pre-review checklist:

    • [NA] I am adding a new automated test(s) to verify correctness of my new code
    • [NA] I am adding new logging messages
    • [NA] I am adding a new telemetry message
    • [NA] I am modifying authorization mechanisms
    • [NA] I am adding new credentials
    • [NA] I am modifying OCSP code
    • [NA] I am adding a new dependency

  3. Please describe how your code solves the related issue.

    Ignoring missing username for external browser auth

  4. (Optional) PR for stored-proc connector:

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 23, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@karunmotorq
Copy link
Author

I have read the CLA Document and I hereby sign the CLA

@karunmotorq karunmotorq mentioned this pull request Jan 23, 2025
Open
@sfc-gh-mkeller
Copy link
Collaborator

I'm sorry, this doesn't work for me. I think user is required for externalbrowser auth too

@karunmotorq
Copy link
Author

@sfc-gh-mkeller Ive tested the forked repo in my Snowflake Code, the user context is able to be derived from the webbrowser, and scripts run successfully. Is there any supporting evidence needed to take this further?

Were migrating from the JS SDK to the python SDK, in JS SDK the username is not a parameter for webbrowser auth

@karunmotorq
Copy link
Author

@sfc-gh-mkeller

sfc-gh-mmishchenko
sfc-gh-mmishchenko reviewed Apr 2, 2025
View reviewed changes
src/snowflake/connector/connection.py
@@ -1238,7 +1238,7 @@ def __config(self, **kwargs):
self._token = f.read()

if not (self._master_token and self._session_token):
if not self.user and self._authenticator != OAUTH_AUTHENTICATOR:
if not self.user and self._authenticator != OAUTH_AUTHENTICATOR and self._authenticator != EXTERNAL_BROWSER_AUTHENTICATOR:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's true that for authentication itself user is not required, but it is required for storing a temporary credential (token) in the cache storage, to identify the owner.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could make one SQL query to fetch the username of the current token and use that to store it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @nicornk
You're right provided it would have taken place backend-side; however, the source of concern here is the client-side temporary credentials cache. As it's effectively a key-value storage, a unique key is required to built on the client-side as a prerequisite to authentication.
Technically it could've been some arbitrary identifier provided by a user, but probably it won't look like a much better user experience than currently required username, not sure. What's your opinion?

Copy link

@nicornk nicornk Apr 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How long is the temporary cached item valid for? Is it just for the duration of the login attempt, in that case wouldn’t there be another way to come up with a key for the KV store?

if it’s anyhow arbitrary, why not use a random uuid?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicornk nicornk nicornk left review comments

@sfc-gh-mmishchenko sfc-gh-mmishchenko sfc-gh-mmishchenko left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SNOW-1892848: Web Browser Auth doesnt need user to be passed but asserts it
4 participants
@karunmotorq @sfc-gh-mkeller @nicornk @sfc-gh-mmishchenko