-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make JWTAuthentication accept token providers to support token refresh #466
Comments
As far as I understand even if the token is refreshed any already running queries would still fail? If so we should make it clear once we add the functionality you propose. Also since you seem to have an idea of how to implement this already would you like to send a PR? The proposal looks good so far. |
And also once we have this implemented we can think of changing #462 to align with whatever "interface" we come up with for this issue. |
I just noticed I forgot to tag you @sugibuchi. Wanted to check if you're still willing to send a PR for this since it seems you have some ideas already. |
Thank you very much for your comment. I checked the source code of the Trino server. JWT tokens received by the Trino server are parsed and verified (including an expiration check) in Therefore,
This cannot happen as the expiration time written in JWT tokens is not used after the authentication in
Yes. I can prepare a PR for this change. |
Describe the feature
Extend
JWTAuthentication
to support both static JWT tokens and JWT tokens dynamically produced by given Callable objects.This extension aims to refresh JWT tokens in
JWTAuthentication
.Context
We are currently trying to use JWT access tokens issued by Azure Entra ID (aka. Azure Active Directory) to authenticate clients (more precisely, DBT workflows running in Azure) accessing our Trino.
Retrieving access tokens from Entra ID is a straightforward process. We can accomplish this by using the
TokenCredential
implementations provided by theazure-identity
package. For instance,A problem here is that there is no way to refresh tokens set to
JWTAuthentication
as the current version ofJWTAuthentication
accepts only a static token, and sets the token torequests.Session
objects as a static auth header value.For example, JWT tokens issued by Entra ID usually expire within 1 hour or less. Therefore, an application using
JWTAuthentication
will fail at a certain moment due to the expiration of access tokens unless the application frequently recreates theJWTAuthentication
instance with a new token.Proposal
Extend
JWTAuthentication
to accept both a static JWT token and aCallable
object as the init argument.https://github.com/trinodb/trino-python-client/blob/0.328.0/trino/auth.py#L146-L153
We also need to extend
_BearerAuth
.https://github.com/trinodb/trino-python-client/blob/0.328.0/trino/auth.py#L142
With this extension, we can rewrite the sample code above as follows:
This code won't fail as the
credential
(DefaultAzureCredential
) will automatically cache and refresh access tokens.Describe alternatives you've considered
We have implemented a custom
JWTAuthentication
with this extension by ourselves. However, JWT token refresh is a common concern that can appear in various use case scenarios. It would be nice to have this extension as a part of the Trino Python client.Are you willing to submit PR?
The text was updated successfully, but these errors were encountered: