feat(low-code): add profile assertion flow to oauth authenticator component

[Serhii Lazebnyi (lazebnyi)]

What

To authenticate in some connectors like Google Sheets, we need to pass two-step authentication. Before requesting an access token, the user needs to generate a JWT to authenticate the access token request with it. This is described in RFC 7523 - https://datatracker.ietf.org/doc/html/rfc7523.

How

We have extended the current OAuth implementation with new fields (e.g. profile_assertion, use_profile_assertion) and methods to use OAuth JWT Assertion Profiles.

Summary by CodeRabbit

• New Features

  • Enhanced OAuth2 authentication with optional profile assertion support.
  • Added flexibility for client credentials configuration.
  • Introduced new methods for handling JWT-based token refresh.

• Improvements

  • Made client_id and client_secret optional.
  • Added support for conditional grant type configuration.
  • Improved error handling for authentication scenarios.

• Tests

  • Added new test coverage for profile assertion functionality.
  • Updated existing tests to enhance validation of refresh token scenarios.
  • Modified mock request behavior to reflect updated refresh endpoint URL.

[Serhii Lazebnyi (lazebnyi)]

/autofix

Auto-Fix Job Info

This job attempts to auto-fix any linting or formating issues. If any fixes are made,
those changes will be automatically committed and pushed back to the PR.

Note: This job can only be run by maintainers. On PRs from forks, this command requires
that the PR author has enabled the Allow edits from maintainers option.

PR auto-fix job started... Check job output.

✅ Changes applied successfully.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces modifications to the DeclarativeOauth2Authenticator class, transitioning client_id and client_secret attributes from required to optional fields. New attributes, profile_assertion and use_profile_assertion, are added to enhance the authentication process. The initialization logic for grant_type is updated based on the use_profile_assertion flag. Additionally, new methods for handling assertions and constructing refresh request bodies are introduced. Corresponding changes are made in the schema and model files, along with updates to the test suite to validate the new functionality.

Changes

File	Change Summary
airbyte_cdk/sources/declarative/auth/oauth.py	- Made client_id and client_secret optional - Added profile_assertion and use_profile_assertion attributes - Introduced new methods: get_assertion_name(), get_assertion(), build_refresh_request_body()
airbyte_cdk/sources/declarative/declarative_component_schema.yaml	- Added profile_assertion property - Added use_profile_assertion property
airbyte_cdk/sources/declarative/models/declarative_component_schema.py	- Updated client_id and client_secret to be optional - Added profile_assertion and use_profile_assertion - Minor structural improvements
airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py	- Updated create_oauth_authenticator to handle profile_assertion
unit_tests/sources/declarative/auth/test_oauth.py	- Added test_profile_assertion method to validate new functionality

Possibly related PRs

• fix: (DeclarativeOAuthFlow) - allow DeclarativeOauth2Authenticator to use access_token directly when no token_refresh_endpoint or refresh_token values are provided. #182: Allows direct access_token usage when refresh details are missing
• feat(low-code): pass refresh headers to oauth #219: Introduces optional refresh_request_headers
• fix: (DeclarativeOAuthFlow) - add the ability to override the refresh_token_request_body key names, updated oauth_connector_input_specification tooltips #220: Enables overriding refresh token request body key names

Suggested Labels

oauth, declarative_oauth, oauth_in_builder

Suggested Reviewers

• bazarnov
• maxi297
• aldogonzalez8

What do you think about the new profile assertion feature? Do you see any potential use cases that we should consider? 😊

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 291d37a and ca09561.

📒 Files selected for processing (1)

• unit_tests/sources/streams/http/requests_native_auth/test_requests_native_auth.py (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• unit_tests/sources/streams/http/requests_native_auth/test_requests_native_auth.py

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (Fast)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Analyze (python)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (5)

airbyte_cdk/sources/declarative/auth/oauth.py (1)

Line range hint 1-229: Address the formatting issues reported by the pipeline.

The pipeline indicates that the file requires formatting using Ruff formatter. Could you please run the formatter to ensure compliance with the project's style guidelines? Wdyt?

🧰 Tools

🪛 GitHub Actions: Linters

[warning] File requires formatting using Ruff formatter

unit_tests/sources/declarative/auth/test_oauth.py (1)

Line range hint 1-451: Address formatting issues as indicated by the pipeline.

The pipeline reports that the file requires formatting using Ruff formatter. Could you please format the code accordingly? Wdyt?

🧰 Tools

🪛 GitHub Actions: Linters

[warning] File requires formatting using Ruff formatter

airbyte_cdk/sources/declarative/models/declarative_component_schema.py (2)

619-628: Consider enhancing the description for use_profile_assertion.

The current description for use_profile_assertion could be more detailed to help users understand when to enable this option. Perhaps providing an example or explaining the use case would be helpful. Wdyt?

🧰 Tools

🪛 GitHub Actions: Linters

[warning] File requires formatting using Ruff formatter

---

Line range hint 1-2290: Address the formatting issues reported by the pipeline.

The pipeline indicates that the file requires formatting using Ruff formatter. Could you please format the code accordingly? Wdyt?

🧰 Tools

🪛 GitHub Actions: Linters

[warning] File requires formatting using Ruff formatter

airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py (1)

1928-1929: LGTM! Clean implementation of profile assertion handling.

The implementation follows the factory pattern consistently by using _create_component_from_model to handle the optional profile assertion. This maintains consistency with how other optional components are created.

Hey, would you consider adding a comment explaining what a profile assertion is and when it's used? Something like "Profile assertions are used in OAuth JWT Assertion Profile flows (RFC 7523) to generate JWTs before requesting access tokens." wdyt?

🧰 Tools

🪛 GitHub Actions: Linters

[warning] File requires formatting using Ruff formatter

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 17dd71f and fff028c.

📒 Files selected for processing (5)

• airbyte_cdk/sources/declarative/auth/oauth.py (7 hunks)
• airbyte_cdk/sources/declarative/declarative_component_schema.yaml (1 hunks)
• airbyte_cdk/sources/declarative/models/declarative_component_schema.py (14 hunks)
• airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py (2 hunks)
• unit_tests/sources/declarative/auth/test_oauth.py (4 hunks)

🧰 Additional context used

🪛 GitHub Actions: Linters

airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py

[warning] File requires formatting using Ruff formatter

unit_tests/sources/declarative/auth/test_oauth.py

[warning] File requires formatting using Ruff formatter

airbyte_cdk/sources/declarative/models/declarative_component_schema.py

[warning] File requires formatting using Ruff formatter

airbyte_cdk/sources/declarative/auth/oauth.py

[warning] File requires formatting using Ruff formatter

⏰ Context from checks skipped due to timeout of 90000ms (7)

• GitHub Check: Check: 'source-pokeapi' (skip=false)
• GitHub Check: Check: 'source-the-guardian-api' (skip=false)
• GitHub Check: Check: 'source-shopify' (skip=false)
• GitHub Check: Check: 'source-hardcoded-records' (skip=false)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Analyze (python)

🔇 Additional comments (3)

airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py (1)

2002-2002: LGTM! Profile assertion properly passed to authenticator.

The profile assertion is correctly passed to the OAuth authenticator constructor, maintaining the alphabetical order of parameters.

🧰 Tools

🪛 GitHub Actions: Linters

[warning] File requires formatting using Ruff formatter

airbyte_cdk/sources/declarative/declarative_component_schema.yaml (2)

1255-1258: LGTM! The profile_assertion property is well defined.

The property correctly references the JwtAuthenticator schema and aligns with RFC 7523 requirements for JWT assertion-based authentication.

Hey, would you consider adding an example to help developers understand how to use this property? Something like this might be helpful, wdyt?

      profile_assertion:
        title: Profile Assertion
        description: The authenticator being used to authenticate the client authenticator.
        "$ref": "#/definitions/JwtAuthenticator"
+       examples:
+         - type: JwtAuthenticator
+           secret_key: "{{ config['jwt_secret'] }}"
+           algorithm: "RS256"

---

1259-1263: LGTM! The use_profile_assertion property is well structured.

The boolean flag with a default value of false makes it backward compatible and the description clearly explains its purpose.

Consider adding an example to make it more developer-friendly? Maybe something like this, wdyt?

      use_profile_assertion:
        title: Use Profile Assertion
        description: Enable using profile assertion as a flow for OAuth authorization.
        type: boolean
        default: false
+       examples:
+         - true
+         - "{{ config['enable_jwt_profile'] }}"

[Serhii Lazebnyi (lazebnyi)]

/autofix

Auto-Fix Job Info

This job attempts to auto-fix any linting or formating issues. If any fixes are made,
those changes will be automatically committed and pushed back to the PR.

Note: This job can only be run by maintainers. On PRs from forks, this command requires
that the PR author has enabled the Allow edits from maintainers option.

PR auto-fix job started... Check job output.

🟦 Job completed successfully (no changes).

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

airbyte_cdk/sources/declarative/auth/oauth.py (1)

105-110: ⚠️ Potential issue

Properly evaluate use_profile_assertion before using in conditionals.

Since use_profile_assertion can be an InterpolatedBoolean, str, or bool, it's important to evaluate it using .eval(self.config) to ensure it resolves to a boolean value before using it in conditional statements. Otherwise, the conditionals may not behave as expected. Could you update the code to evaluate self.use_profile_assertion appropriately? Wdyt?

Apply this diff to ensure use_profile_assertion is properly evaluated:

         self.grant_type = InterpolatedString.create(
             "urn:ietf:params:oauth:grant-type:jwt-bearer"
-            if self.use_profile_assertion
+            if (isinstance(self.use_profile_assertion, InterpolatedBoolean) 
+                and self.use_profile_assertion.eval(self.config))
+                or self.use_profile_assertion is True
             else self.grant_type,
             parameters=parameters,
         )

🧹 Nitpick comments (2)

airbyte_cdk/sources/declarative/auth/oauth.py (2)

126-131: Add type annotation for assertion_name.

The assertion_name field is missing a type annotation. Since it's a constant string, should we add str as the type hint? Also, consider making it a class constant since it's a fixed value. Wdyt?

-        self.assertion_name = "assertion"
+        self.assertion_name: str = "assertion"

Or as a class constant:

 @dataclass
 class DeclarativeOauth2Authenticator(AbstractOauth2Authenticator, DeclarativeAuthenticator):
+    ASSERTION_NAME: str = "assertion"
     ...
-        self.assertion_name = "assertion"
+        self.assertion_name: str = self.ASSERTION_NAME

---

227-238: Add type hints to method calls in build_refresh_request_body.

The method logic looks good, but there are type safety concerns with the untyped function calls. Should we add type hints to the called methods to improve type safety? Wdyt?

-    def get_assertion_name(self) -> str:
+    def get_assertion_name(self) -> str:
         """Returns the name of the assertion parameter."""
         return self.assertion_name

-    def get_assertion(self) -> str:
+    def get_assertion(self) -> str:
         """Returns the assertion token value."""
         if self.profile_assertion is None:
             raise ValueError("profile_assertion is not set")
         return self.profile_assertion.token

🧰 Tools

🪛 GitHub Actions: Linters

[error] 235-235: Call to untyped function "get_assertion_name" in typed context

---

[error] 235-235: Call to untyped function "get_assertion" in typed context

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 726f974 and 32b43b2.

📒 Files selected for processing (1)

• airbyte_cdk/sources/declarative/auth/oauth.py (7 hunks)

🧰 Additional context used

🪛 GitHub Actions: Linters

airbyte_cdk/sources/declarative/auth/oauth.py

[error] 82-82: Argument 1 to "create" of "InterpolatedString" has incompatible type "InterpolatedString | str | None"; expected "InterpolatedString | str"

---

[error] 86-86: Argument 1 to "create" of "InterpolatedString" has incompatible type "InterpolatedString | str | None"; expected "InterpolatedString | str"

---

[error] 221-221: Function is missing a return type annotation

---

[error] 224-224: Function is missing a return type annotation

---

[error] 225-225: Item "None" of "DeclarativeAuthenticator | None" has no attribute "token"

---

[error] 235-235: Call to untyped function "get_assertion_name" in typed context

---

[error] 235-235: Call to untyped function "get_assertion" in typed context

⏰ Context from checks skipped due to timeout of 90000ms (7)

• GitHub Check: Check: 'source-pokeapi' (skip=false)
• GitHub Check: Check: 'source-the-guardian-api' (skip=false)
• GitHub Check: Check: 'source-shopify' (skip=false)
• GitHub Check: Check: 'source-hardcoded-records' (skip=false)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Analyze (python)

🔇 Additional comments (3)

airbyte_cdk/sources/declarative/auth/oauth.py (3)

50-51: LGTM! Good type hints for optional client credentials.

The type hints correctly reflect that these fields can be either None, InterpolatedString, or str. This change nicely supports both basic OAuth and profile assertion flows.

---

70-71: LGTM! Well-structured profile assertion attributes.

The type hints are comprehensive, allowing for flexible configuration of the profile assertion flow. The use_profile_assertion flag supports multiple types (InterpolatedBoolean, str, bool) which is great for declarative configuration.

---

144-154: LGTM! Clear and comprehensive validation logic.

The validation checks and error messages are well-structured and descriptive. They properly handle both basic OAuth and profile assertion flows.

[Maxime Carbonneau-Leclerc (maxi297)]

Just a small question regarding the declarative interface. The rest makes sense to me if the tests with source-google-sheets are good

[Aldo Gonzalez (aldogonzalez8)]

These changes make sense to me. I would like a manifest test, but I don't want to block you on that as we already have a required implementation for this.

[Serhii Lazebnyi (lazebnyi)]

/autofix

Auto-Fix Job Info

This job attempts to auto-fix any linting or formating issues. If any fixes are made,
those changes will be automatically committed and pushed back to the PR.

Note: This job can only be run by maintainers. On PRs from forks, this command requires
that the PR author has enabled the Allow edits from maintainers option.

PR auto-fix job started... Check job output.

🟦 Job completed successfully (no changes).

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

airbyte_cdk/sources/http_logger.py (1)

48-48: LGTM! Nice formatting improvement.

The spacing adjustment in the type ignore directive # type: ignore[return-value] aligns better with PEP 484's type checking syntax. The comment also helpfully explains the type mismatch reason.

Hey, while we're here, would you be interested in exploring ways to properly type this return value instead of using type: ignore? We could potentially define a proper JsonType or use TypedDict to make this more type-safe, wdyt? 🤔

airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py (1)

1954-1954: Consider extracting the conditional evaluation logic to reduce duplication.

The pattern InterpolatedString.create(value, parameters=model.parameters or {}).eval(config) if value else value is repeated for both client_id and client_secret. What do you think about extracting this into a helper method? Something like:

+    def _eval_if_present(self, value: Optional[str], parameters: Dict[str, Any], config: Config) -> Optional[str]:
+        return InterpolatedString.create(value, parameters=parameters or {}).eval(config) if value else value
+
     def create_oauth_authenticator(...):
-        client_id=InterpolatedString.create(model.client_id, parameters=model.parameters or {}).eval(config) if model.client_id else model.client_id,
+        client_id=self._eval_if_present(model.client_id, model.parameters, config),
-        client_secret=InterpolatedString.create(model.client_secret, parameters=model.parameters or {}).eval(config) if model.client_secret else model.client_secret,
+        client_secret=self._eval_if_present(model.client_secret, model.parameters, config),

This would make the code more DRY and easier to maintain. WDYT? 🤔

Also applies to: 1960-1960

🧰 Tools

🪛 GitHub Actions: Linters

[warning] File requires formatting with Ruff formatter

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2c26dce and 9c7d3e3.

📒 Files selected for processing (4)

• airbyte_cdk/sources/declarative/auth/oauth.py (9 hunks)
• airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py (3 hunks)
• airbyte_cdk/sources/http_logger.py (1 hunks)
• airbyte_cdk/sources/streams/http/requests_native_auth/oauth.py (5 hunks)

✅ Files skipped from review due to trivial changes (1)

• airbyte_cdk/sources/streams/http/requests_native_auth/oauth.py

🚧 Files skipped from review as they are similar to previous changes (1)

• airbyte_cdk/sources/declarative/auth/oauth.py

🧰 Additional context used

🪛 GitHub Actions: Linters

airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py

[warning] File requires formatting with Ruff formatter

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (Fast)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Analyze (python)

🔇 Additional comments (2)

airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py (2)

1928-1932: LGTM! Clean implementation of profile assertion initialization.

The initialization of profile_assertion follows the established pattern for optional components and handles the None case appropriately.

🧰 Tools

🪛 GitHub Actions: Linters

[warning] File requires formatting with Ruff formatter

---

2006-2007: LGTM! Clean addition of profile assertion parameters.

The addition of profile_assertion and use_profile_assertion parameters is well-placed and aligns with the PR's objective of supporting two-step authentication.

🧰 Tools

🪛 GitHub Actions: Linters

[warning] File requires formatting with Ruff formatter

[Serhii Lazebnyi (lazebnyi)]

/autofix

Auto-Fix Job Info

This job attempts to auto-fix any linting or formating issues. If any fixes are made,
those changes will be automatically committed and pushed back to the PR.

Note: This job can only be run by maintainers. On PRs from forks, this command requires
that the PR author has enabled the Allow edits from maintainers option.

PR auto-fix job started... Check job output.

✅ Changes applied successfully.