Maven / Gradle / Ivy
* Copyright 2010-2024, Inc. or its affiliates. All Rights Reserved.
* This file is licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License. A copy of
* the License is located at
* This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder;
import java.awt.*;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.List;
import java.util.Base64;
import com.amazonaws.util.StringUtils;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;
import static;
public class BrowserIdcAuthPlugin extends CommonCredentialsProvider {
* Key for setting timeout for IDP response.
public static final String KEY_IDC_RESPONSE_TIMEOUT = "idp_response_timeout";
* Key for setting the port number for listening.
public static final String KEY_LISTEN_PORT = "listen_port";
* Key for setting idp tenant.
public static final String KEY_ISSUER_URL = "issuer_url";
* Key for setting IdC region.
public static final String KEY_IDC_REGION = "idc_region";
* Key for setting IdC client display name
private static final String KEY_IDC_CLIENT_DISPLAY_NAME = "idc_client_display_name";
* Key for setting CSRF endpoint protection state.
public static final String OAUTH_CSRF_STATE_PARAMETER_NAME = "state";
* Key for setting redirect URI.
public static final String OAUTH_REDIRECT_PARAMETER_NAME = "redirect_uri";
* Key for setting client ID.
public static final String OAUTH_CLIENT_ID_PARAMETER_NAME = "client_id";
* Key for setting OAUTH response type.
public static final String OAUTH_RESPONSE_TYPE_PARAMETER_NAME = "response_type";
* Key for setting grant type.
public static final String OAUTH_GRANT_TYPE_PARAMETER_NAME = "grant_type";
* Key for setting scope.
public static final String OAUTH_SCOPE_PARAMETER_NAME = "scopes";
* Key for setting code challenge.
public static final String OAUTH_CODE_CHALLENGE_PARAMETER_NAME = "code_challenge";
* Key for setting code challenge.
public static final String OAUTH_CHALLENGE_METHOD_PARAMETER_NAME = "code_challenge_method";
* The default time in seconds for which the client must wait between attempts when polling for a session
* It is used if auth server doesn't provide any value access token expiration
public final int DEFAULT_IDC_TOKEN_EXPIRY_IN_SEC = 900;
* It is used to set the number of bytes of the code verifier
public final int CODE_VERIFIER_BYTE_LENGTH = 60;
* It is used to multiply millisecond values to get seconds
public final long MILLISECOND_MULTIPLIER = 1000L;
* Issuer URL variable.
protected String m_issuer_url;
* IdC region variable.
protected String m_idc_region;
* Redirect URI variable.
protected String m_redirect_uri;
* AWSSSOOIDC client object needed to SSOOIDC methods
protected AWSSSOOIDC m_sdk_client;
* Key for authorization code.
private static final String AUTH_CODE_PARAMETER_NAME = "code";
* String containing HTTPS.
private static final String CURRENT_INTERACTION_PROTOCOL = "https";
* String containing OIDC used for building the authorization server endpoint.
private static final String OIDC_SUBDOMAIN = "oidc";
* String containing used for building the authorization server endpoint.
private static final String AMAZON_COM_DOMAIN = "";
* Application scope variable.
private static final String REDSHIFT_IDC_CONNECT_SCOPE = "redshift:connect";
* Application grant types variable.
private static final String AUTH_CODE_GRANT_TYPE = "authorization_code";
* Client type of client application
private static final String M_CLIENT_TYPE = "public";
* Redirect URI of client application
private static final String M_REDIRECT_URI = "";
* Authorize endpoint to get authorization code
private static final String AUTHORIZE_ENDPOINT = "/authorize";
* Method used to hash the code verifier
private static final String CHALLENGE_METHOD = "S256";
* SHA256 hash used to hash the code verifier
private static final String SHA256_METHOD = "SHA-256";
* Default timeout for IDP response.
private int m_idc_response_timeout = 120;
* Default port for local server.
private int m_listen_port = 7890;
* Default IdC client display name.
private String m_idcClientDisplayName = RedshiftProperty.IDC_CLIENT_DISPLAY_NAME.getDefaultValue();
// Used to cache RegisterClientResult, which contains clientId and clientSecret. Cache key will be ::
private static final Map m_register_client_cache = new HashMap();
* Overridden method to obtain the auth token from plugin specific implementation
* @return {@link NativeTokenHolder} A wrapper containing auth token and its expiration time information
* @throws IOException indicating the error
protected NativeTokenHolder getAuthToken() throws IOException {
return getIdcToken();
* Returns the retrieved access token from IdC authorization server
* @return {@link NativeTokenHolder} This contains the retrieved access token and the expiration time of that token
* @throws IOException if an error occurs during the involved API call
protected NativeTokenHolder getIdcToken() throws IOException {
try {
m_sdk_client = AWSSSOOIDCClientBuilder.standard().withRegion(m_idc_region).build();
m_redirect_uri = M_REDIRECT_URI + ":" + m_listen_port;
RegisterClientResult registerClientResult = getRegisterClientResult();
String codeVerifier = generateCodeVerifier();
String codeChallenge = generateCodeChallenge(codeVerifier);
String authCode = fetchAuthorizationCode(codeChallenge, registerClientResult);
CreateTokenResult createTokenResult = fetchTokenResult(registerClientResult, authCode,codeVerifier);
return processCreateTokenResult(createTokenResult);
} catch (InternalPluginException | URISyntaxException ex) {
if (RedshiftLogger.isEnable())
m_log.log(LogLevel.ERROR, ex, "InternalPluginException in getIdcToken");
// Wrap any exception to be compatible with CommonCredentialsProvider API
throw new IOException(ex.getMessage(), ex);
private void checkRequiredParameters() throws InternalPluginException {
if (StringUtils.isNullOrEmpty(m_issuer_url)) {
m_log.logDebug("IdC authentication failed: issuer_url needs to be provided in connection params");
throw new InternalPluginException("IdC authentication failed: The issuer URL must be included in the connection parameters.");
if (StringUtils.isNullOrEmpty(m_idc_region)) {
m_log.logDebug("IdC authentication failed: idc_region needs to be provided in connection params");
throw new InternalPluginException("IdC authentication failed: The IdC region must be included in the connection parameters.");
* Overridden method to grab the field parameters from JDBC connection string or extended params provided by user.
* This method calls the base class' addParameter method and adds to it new specific parameters.
* @param key parameter key passed to JDBC driver
* @param value parameter value associated with the given key
public void addParameter(String key, String value) {
switch (key) {
m_issuer_url = value;
if (RedshiftLogger.isEnable())
m_log.logDebug("Setting issuer_url: {0}", m_issuer_url);
m_idc_region = value;
if (RedshiftLogger.isEnable())
m_log.logDebug("Setting idc_region: {0}", m_idc_region);
m_listen_port = Integer.parseInt(value);
if (RedshiftLogger.isEnable())
m_log.logDebug("Setting listen_port: {0}", m_listen_port);
if (!StringUtils.isNullOrEmpty(value))
m_idcClientDisplayName = value;
if (RedshiftLogger.isEnable())
m_log.logDebug("Setting idc_client_display_name: {0}", m_idcClientDisplayName);
if (!StringUtils.isNullOrEmpty(value)) {
int timeout = Integer.parseInt(value);
if (timeout > 10) { // minimum allowed timeout value is 10 secs
m_idc_response_timeout = timeout;
if (RedshiftLogger.isEnable())
m_log.logDebug("Setting idc_response_timeout={0}", m_idc_response_timeout);
} else { // else use default timeout value itself
if (RedshiftLogger.isEnable())
m_log.logDebug("Setting default idc_response_timeout={0}; provided value={1}", m_idc_response_timeout, timeout);
super.addParameter(key, value);
* Registers a client with IAM Identity Center. This allows clients to initiate authorization code + PKCE flow.
* The output is persisted for reuse through many authentication requests.
* @return {@link RegisterClientResult} Client registration result containing {@code clientId} and {@code clientSecret} required for authorization code + PKCE flow
* @throws IOException if an error occurs during the involved API call
protected RegisterClientResult getRegisterClientResult() throws IOException {
String registerClientCacheKey = m_issuer_url + ":" + m_idc_region + ":" + m_listen_port;
RegisterClientResult cachedRegisterClientResult = m_register_client_cache.get(registerClientCacheKey);
if (isCachedRegisterClientResultValid(cachedRegisterClientResult)) {
if (RedshiftLogger.isEnable()){
m_log.logDebug("Using cached register client result");
m_log.logDebug("Cached register client secret expiry is {0}", cachedRegisterClientResult.getClientSecretExpiresAt());
return cachedRegisterClientResult;
RegisterClientRequest registerClientRequest = new RegisterClientRequest();
RegisterClientResult registerClientResult = null;
try {
registerClientResult = m_sdk_client.registerClient(registerClientRequest);
if (RedshiftLogger.isEnable() && registerClientResult.getSdkHttpMetadata() != null)
m_log.logDebug("registerClient response code: {0}", registerClientResult.getSdkHttpMetadata().getHttpStatusCode());
} catch (InternalServerException ex) {
if (RedshiftLogger.isEnable())
m_log.log(LogLevel.ERROR, ex, "Error: Unexpected server error while registering client;");
throw new IOException("IdC authentication failed : An error occurred during the request.", ex);
} catch (Exception ex) {
if (RedshiftLogger.isEnable())
m_log.log(LogLevel.ERROR, ex, "Error: Unexpected register client error;");
throw new IOException("IdC registerClient failed : There was an error during the request.", ex);
m_register_client_cache.put(registerClientCacheKey, registerClientResult);
if (RedshiftLogger.isEnable())
m_log.logDebug("Cached register client secret expiry is {0}", registerClientResult.getClientSecretExpiresAt());
return registerClientResult;
* Generates a high entropy random codeVerifier string that will be used in the PKCE flow
* @return codeVerifier: randomly generated base64 encoded 60 byte string
protected String generateCodeVerifier() {
byte[] randomBytes = new byte[CODE_VERIFIER_BYTE_LENGTH];
SecureRandom secureRandom = new SecureRandom();
String codeVerifier = Base64.getUrlEncoder().withoutPadding().encodeToString(randomBytes);
return codeVerifier;
* Applies a SHA256 hash to the code verifier
* @param verifier Randomly generated base64 encoded string
* @return codeChallenge: string generated from applying a SHA256 hash to the code verifier
protected String generateCodeChallenge(String verifier) {
byte[] sha256Hash = sha256(verifier.getBytes(StandardCharsets.US_ASCII));
// Encode the hash into Base64url
String codeChallenge = Base64.getUrlEncoder().withoutPadding().encodeToString(sha256Hash);
return codeChallenge;
* Retrieves an IdC vended authorization code from the IdC server through the redirectURI
* @param codeChallenge String generated from applying a SHA256 hash to the code verifier
* @param registerClientResult Contains the clientId and clientSecret
* @return {@link String} authCode: Authorization code returned from the IdC authorization server used to get the access token
* @throws IOException If an I/O error occurs while communicating with the IdC server or processing the response
* @throws URISyntaxException If the redirect URI or any other URI involved in the authorization process is malformed or violates URI syntax rules
protected String fetchAuthorizationCode(String codeChallenge, RegisterClientResult registerClientResult) throws IOException, URISyntaxException
final String state = RandomStateUtil.generateRandomState();
RequestHandler requestHandler =
new RequestHandler(new Function, Object>()
public Object apply(List nameValuePairs)
String incomingState =
findParameter(OAUTH_CSRF_STATE_PARAMETER_NAME, nameValuePairs);
if (!state.equals(incomingState))
String state_error_message = "Incoming state " + incomingState + " does not match the outgoing state " + state;
m_log.log(LogLevel.DEBUG, state_error_message);
return new InternalPluginException(state_error_message);
String code = findParameter(AUTH_CODE_PARAMETER_NAME, nameValuePairs);
if (StringUtils.isNullOrEmpty(code))
String code_error_message = "No valid code found";
m_log.log(LogLevel.DEBUG, code_error_message);
return new InternalPluginException(code_error_message);
return code;
Server server = new Server(m_listen_port, requestHandler, Duration.ofSeconds(m_idc_response_timeout), m_log);
m_log.log(LogLevel.DEBUG, String.format("Listening for connection on port %d", m_listen_port));
openBrowser(state, codeChallenge, registerClientResult);
catch (URISyntaxException | IOException ex)
if (RedshiftLogger.isEnable())
throw ex;
Object result = requestHandler.getResult();
if (result instanceof InternalPluginException)
if (RedshiftLogger.isEnable())
m_log.logDebug("Error occurred while fetching authorization code: {0}", result);
throw (InternalPluginException) result;
if (result instanceof String)
m_log.log(LogLevel.DEBUG, "Got authorization code of length={0}", ((String) result).length());
return (String) result;
if (RedshiftLogger.isEnable())
m_log.logDebug("result: {0}", result);
throw new InternalPluginException("Error fetching authentication code from browser. Failed to login during timeout.");
* Creates and returns an access token for the authorized client within if successful before the timeout
* @param registerClientResult Contains the clientId and clientSecret
* @param authCode Authorization code returned from the IdC authorization server used to get the access token
* @param codeVerifier Randomly generated base64 encoded 60 byte string
* @return {@link CreateTokenResult} Create token result containing IdC token
* @throws IOException If an I/O error occurs while communicating with the IdC server or processing the response
protected CreateTokenResult fetchTokenResult(RegisterClientResult registerClientResult, String authCode, String codeVerifier) throws IOException {
long pollingEndTime = System.currentTimeMillis() + m_idc_response_timeout * MILLISECOND_MULTIPLIER;
// poll for create token with pollingIntervalInSec wait time between each attempt until pollingEndTime
while (System.currentTimeMillis() < pollingEndTime) {
try {
CreateTokenResult createTokenResult = getCreateTokenResult(registerClientResult.getClientId(), registerClientResult.getClientSecret(), authCode, AUTH_CODE_GRANT_TYPE, codeVerifier, m_redirect_uri);
if (RedshiftLogger.isEnable() && registerClientResult.getSdkHttpMetadata() != null)
m_log.logDebug("createToken response code: {0}", createTokenResult.getSdkHttpMetadata().getHttpStatusCode());
if (createTokenResult != null && createTokenResult.getAccessToken() != null) {
return createTokenResult;
} else {
// auth server sent a non exception response without valid token, so throw error
if (RedshiftLogger.isEnable())
m_log.logError("Failed to fetch an IdC access token");
throw new IOException("IdC authentication failed : The credential token couldn't be fetched.");
} catch (AuthorizationPendingException ex) {
if (RedshiftLogger.isEnable())
m_log.logDebug("Browser authorization pending from user");
} catch (SlowDownException ex) {
if (RedshiftLogger.isEnable())
m_log.log(LogLevel.ERROR, ex, "Error: Too frequent createToken requests made by client;");
throw new IOException("IdC authentication failed : Requests to the IdC service are too frequent.", ex);
} catch (AccessDeniedException ex) {
if (RedshiftLogger.isEnable())
m_log.log(LogLevel.ERROR, ex, "Error: Access denied, please ensure app assignment is done for the user;");
throw new IOException("IdC authentication failed : You don't have sufficient permission to perform the action. Please ensure app assignment is done for the user.", ex);
} catch (InternalServerException ex) {
if (RedshiftLogger.isEnable())
m_log.log(LogLevel.ERROR, ex, "Error: Server error in creating token;");
throw new IOException("IdC authentication failed : An error occurred during the request.", ex);
} catch (Exception ex) {
if (RedshiftLogger.isEnable())
m_log.log(LogLevel.ERROR, ex, "Error: Unexpected error in create token;");
throw new IOException("IdC createToken failed : There was an error during the request.", ex);
try {
Thread.sleep(pollingIntervalInSec * MILLISECOND_MULTIPLIER);
} catch (InterruptedException ex) {
if (RedshiftLogger.isEnable())
m_log.log(LogLevel.ERROR, ex, "Thread interrupted during sleep");
if (RedshiftLogger.isEnable())
m_log.logError("Error: Request timed out while waiting for user authentication in the browser");
throw new IOException("IdC authentication failed : The request timed out. Authentication wasn't completed.");
* Creates and returns an access token for the authorized client.
* The access token issued will be used by the Redshift server to authorize the user.
* @param clientId The unique identifier string for each client
* @param clientSecret A secret string generated for the client
* @param authCode Authorization code used to get the access token
* @param grantType Supports grant types for the authorization code request
* @param codeVerifier Used for PKCE flow
* @param redirectUri Used to verify that the redirectUri is the same
* @return {@link CreateTokenResult} Create token result containing IdC token
protected CreateTokenResult getCreateTokenResult(String clientId, String clientSecret, String authCode, String grantType, String codeVerifier, String redirectUri) {
CreateTokenRequest createTokenRequest = new CreateTokenRequest();
return m_sdk_client.createToken(createTokenRequest);
* Takes a created token result as input and returns an object of type NativeTokenHolder that contains the access token and expiration
* @param createTokenResult Contains the access token, refresh token, and accces token expiry
* @return {@link NativeTokenHolder} This contains the retrieved access token and the expiration time of that token
* @throws IOException If an I/O error occurs while communicating with the IdC server or processing the response
protected NativeTokenHolder processCreateTokenResult(CreateTokenResult createTokenResult) throws IOException {
String idcToken = createTokenResult.getAccessToken();
if(StringUtils.isNullOrEmpty(idcToken)) {
throw new InternalPluginException("Returned access token is null or empty.");
if (createTokenResult.getExpiresIn() != null && createTokenResult.getExpiresIn() > 0) {
expiresInSecs = createTokenResult.getExpiresIn();
Date expiration = new Date(System.currentTimeMillis() + expiresInSecs * MILLISECOND_MULTIPLIER);
if (RedshiftLogger.isEnable())
m_log.logDebug("Access token expires at {0}", expiration);
return NativeTokenHolder.newInstance(idcToken, expiration);
* Opens the default browser with the authorization code request to IdC /authorize endpoint
* @param state A randomly generated string to protect against cross-site request forgery attacks
* @param codeChallenge String generated from applying a SHA256 hash to the code verifier
* @param registerClientResult Contains the clientId and clientSecret
* @throws IOException If an error occurs while opening the default browser or establishing a connection to the IdC /authorize endpoint
* @throws URISyntaxException If the URI used for the authorization code request is malformed or violates URI syntax rules
protected void openBrowser(String state, String codeChallenge, RegisterClientResult registerClientResult) throws URISyntaxException, IOException
String idc_host = createIdcHost(m_idc_region);
URIBuilder builder = new URIBuilder().setScheme(CURRENT_INTERACTION_PROTOCOL)
.addParameter(OAUTH_CLIENT_ID_PARAMETER_NAME, registerClientResult.getClientId())
.addParameter(OAUTH_REDIRECT_PARAMETER_NAME, m_redirect_uri)
URI authorizeRequestUrl;
authorizeRequestUrl =;
if (Desktop.isDesktopSupported() && Desktop.getDesktop().isSupported(Desktop.Action.BROWSE)) {
} else {
m_log.log(LogLevel.ERROR, "Unable to open the browser. Desktop environment is not supported");
String.format("Authorization code request URI: \n%s", authorizeRequestUrl.toString()));
private String createIdcHost(String idc_region) {
return OIDC_SUBDOMAIN + "." + m_idc_region + "." + AMAZON_COM_DOMAIN;
private byte[] sha256(byte[] input) {
try {
MessageDigest digest = MessageDigest.getInstance(SHA256_METHOD);
return digest.digest(input);
} catch (NoSuchAlgorithmException e) {
if (RedshiftLogger.isEnable())
m_log.log(LogLevel.ERROR, e, "Thread interrupted during sleep");
return null;
private boolean isCachedRegisterClientResultValid(RegisterClientResult cachedRegisterClientResult) {
if (cachedRegisterClientResult == null || cachedRegisterClientResult.getClientSecretExpiresAt() == null) {
return false;
return System.currentTimeMillis() < cachedRegisterClientResult.getClientSecretExpiresAt() * 1000;