com.amazon.redshift.plugin

Class BrowserIdcAuthPlugin

java.lang.Object

com.amazon.redshift.plugin.CommonCredentialsProvider

com.amazon.redshift.plugin.BrowserIdcAuthPlugin

All Implemented Interfaces:

INativePlugin

public class BrowserIdcAuthPlugin
extends CommonCredentialsProvider

Class to get IdC Token from AWS Identity Center (IdC)

Field Summary

Fields

Modifier and Type	Field and Description
int	DEFAULT_IDC_TOKEN_EXPIRY_IN_SEC
protected static Pattern	IAM_HTTP_URL_PATTERN
protected static Pattern	IAM_URL_PATTERN
protected static String	KEY_SSL_INSECURE
protected RedshiftLogger	m_log
protected AWSSSOOIDC	m_sdk_client
protected boolean	m_sslInsecure
int	REQUEST_CREATE_TOKEN_DEFAULT_INTERVAL The default time in seconds for which the client must wait between attempts when polling for a session It is used if auth server doesn't provide any value for interval in start device authorization response

Fields inherited from class com.amazon.redshift.plugin.CommonCredentialsProvider

m_disableCache

Constructor Summary

Constructors

Constructor and Description
BrowserIdcAuthPlugin()
BrowserIdcAuthPlugin(AWSSSOOIDC client)

Method Summary

Modifier and Type	Method and Description
void	addParameter(String key, String value) Overridden method to grab the field parameters from JDBC connection string or extended params provided by user.
protected CreateTokenResult	fetchTokenResult(RegisterClientResult registerClientResult, StartDeviceAuthorizationResult startDeviceAuthorizationResult, String grantType, String scope)
protected NativeTokenHolder	getAuthToken() Overridden method to obtain the auth token from plugin specific implementation
protected CreateTokenResult	getCreateTokenResult(String clientId, String clientSecret, String deviceCode, String grantType, String... scope) Creates and returns an access token for the authorized client.
protected CloseableHttpClient	getHttpClient()
protected NativeTokenHolder	getIdcToken() Plugin implementation method to grab the IdC token from AWS IAM Identity Center.
String	getPluginSpecificCacheKey()
protected static String	getRegexForJsonKey(String keyName)
protected RegisterClientResult	getRegisterClientResult(String clientName, String clientType) Registers a client with IAM Identity Center.
protected StartDeviceAuthorizationResult	getStartDeviceAuthorizationResult(String clientId, String clientSecret, String startUrl) Initiates device authorization by requesting a pair of verification codes from the IAM Identity Center
protected void	openBrowser(String verificationUri)
protected NativeTokenHolder	processCreateTokenResult(CreateTokenResult createTokenResult)
protected void	validateURL(String paramString)

Methods inherited from class com.amazon.redshift.plugin.CommonCredentialsProvider

getCacheKey, getCredentials, getIdpToken, refresh, setLogger

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REQUEST_CREATE_TOKEN_DEFAULT_INTERVAL

public final int REQUEST_CREATE_TOKEN_DEFAULT_INTERVAL

The default time in seconds for which the client must wait between attempts when polling for a session It is used if auth server doesn't provide any value for interval in start device authorization response

See Also:

Constant Field Values

DEFAULT_IDC_TOKEN_EXPIRY_IN_SEC

public final int DEFAULT_IDC_TOKEN_EXPIRY_IN_SEC

See Also:

Constant Field Values

m_sdk_client

protected AWSSSOOIDC m_sdk_client

KEY_SSL_INSECURE

protected static final String KEY_SSL_INSECURE

See Also:

Constant Field Values

m_sslInsecure

protected boolean m_sslInsecure

IAM_URL_PATTERN

protected static final Pattern IAM_URL_PATTERN

IAM_HTTP_URL_PATTERN

protected static final Pattern IAM_HTTP_URL_PATTERN

m_log

protected RedshiftLogger m_log

Constructor Detail

BrowserIdcAuthPlugin

public BrowserIdcAuthPlugin()

BrowserIdcAuthPlugin

public BrowserIdcAuthPlugin(AWSSSOOIDC client)

Method Detail

addParameter

public void addParameter(String key,
                         String value)

Overridden method to grab the field parameters from JDBC connection string or extended params provided by user. This method calls the base class' addParameter method and adds to it new specific parameters.

Specified by:

addParameter in interface INativePlugin

Overrides:

addParameter in class CommonCredentialsProvider

Parameters:

key - parameter key passed to JDBC driver

value - parameter value associated with the given key

getPluginSpecificCacheKey

public String getPluginSpecificCacheKey()

Specified by:

getPluginSpecificCacheKey in interface INativePlugin

Overrides:

getPluginSpecificCacheKey in class CommonCredentialsProvider

Returns:

The cache key against which the idc token holder is stored, specific to this plugin

getAuthToken

protected NativeTokenHolder getAuthToken()
                                  throws IOException

Overridden method to obtain the auth token from plugin specific implementation

Specified by:

getAuthToken in class CommonCredentialsProvider

Returns:

NativeTokenHolder A wrapper containing auth token and its expiration time information

Throws:

IOException - indicating the error

getIdcToken

protected NativeTokenHolder getIdcToken()
                                 throws IOException

Plugin implementation method to grab the IdC token from AWS IAM Identity Center.

Returns:

NativeTokenHolder A wrapper containing IdC token and its expiration time information

Throws:

IOException - indicating the error

getRegisterClientResult

protected RegisterClientResult getRegisterClientResult(String clientName,
                                                       String clientType)
                                                throws IOException

Registers a client with IAM Identity Center. This allows clients to initiate device authorization. The output is persisted for reuse through many authentication requests.

Parameters:

clientName - The friendly name of the client

clientType - The type of client. The service supports only public as a client type

Returns:

RegisterClientResult Client registration result containing clientId and clientSecret required for device authorization

Throws:

IOException - if an error occurs during the involved API call

getStartDeviceAuthorizationResult

protected StartDeviceAuthorizationResult getStartDeviceAuthorizationResult(String clientId,
                                                                           String clientSecret,
                                                                           String startUrl)
                                                                    throws IOException

Initiates device authorization by requesting a pair of verification codes from the IAM Identity Center

Parameters:

clientId - The unique identifier string for the client that is registered with IAM Identity Center.

clientSecret - A secret string that is generated for the client.

startUrl - The URL for the AWS access portal

Returns:

StartDeviceAuthorizationResult Device Authorization result containing deviceCode for creating token

Throws:

IOException - if an error occurs during the involved API call

openBrowser

protected void openBrowser(String verificationUri)
                    throws IOException

Throws:

IOException

getCreateTokenResult

protected CreateTokenResult getCreateTokenResult(String clientId,
                                                 String clientSecret,
                                                 String deviceCode,
                                                 String grantType,
                                                 String... scope)

Creates and returns an access token for the authorized client. The access token issued will be used to fetch short-term credentials for the assigned roles in the AWS account.

Parameters:

clientId - The unique identifier string for each client

clientSecret - A secret string generated for the client

deviceCode - Used only when calling this API for the device code grant type. This short-term code is used to identify this authentication attempt

grantType - Supports grant types for the device code request

scope - The list of scopes that is defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token

Returns:

CreateTokenResult Create token result containing IdC token

fetchTokenResult

protected CreateTokenResult fetchTokenResult(RegisterClientResult registerClientResult,
                                             StartDeviceAuthorizationResult startDeviceAuthorizationResult,
                                             String grantType,
                                             String scope)
                                      throws IOException

Throws:

IOException

processCreateTokenResult

protected NativeTokenHolder processCreateTokenResult(CreateTokenResult createTokenResult)
                                              throws IOException

Throws:

IOException

getHttpClient

protected CloseableHttpClient getHttpClient()
                                     throws GeneralSecurityException

Throws:

GeneralSecurityException

validateURL

protected void validateURL(String paramString)
                    throws IOException

Throws:

IOException

getRegexForJsonKey

protected static String getRegexForJsonKey(String keyName)