Use user-session-token instead of content-identity-token

examples/connect/databricks/sample-content.py

@@ -18,14 +18,14 @@
 DB_HOST_URL = f"https://{DB_HOST}"
 SQL_HTTP_PATH=os.getenv("SQL_HTTP_PATH")
 
-USER_IDENTITY = None
+USER_SESSION_TOKEN = None
 
-# Read the viewer's individual content identity token from the streamlit ws header.
+# Read the viewer's user session token from the streamlit ws header.
 headers = _get_websocket_headers()
 if headers:
-    USER_IDENTITY = headers.get('Posit-Connect-User-Identity')
+    USER_SESSION_TOKEN = headers.get('Posit-Connect-User-Session')
 
-credentials_provider = viewer_credentials_provider(user_identity=USER_IDENTITY)
+credentials_provider = viewer_credentials_provider(user_session_token=USER_SESSION_TOKEN)
 cfg = Config(host=DB_HOST_URL, credentials_provider=credentials_provider)
 #cfg = Config(host=DB_HOST_URL, token=DB_PAT)
 

src/posit/connect/external/databricks.py

@@ -24,16 +24,16 @@ def __call__(self, *args, **kwargs) -> HeaderFactory:
 
 
 class PositOAuthIntegrationCredentialsProvider(CredentialsProvider):
-    def __init__(self, posit_oauth: OAuthIntegration, user_identity: str):
+    def __init__(self, posit_oauth: OAuthIntegration, user_session_token: str):
         self.posit_oauth = posit_oauth
-        self.user_identity = user_identity
+        self.user_session_token = user_session_token
 
     def auth_type(self) -> str:
         return "posit-oauth-integration"
 
     def __call__(self, *args, **kwargs) -> HeaderFactory:
         def inner() -> Dict[str, str]:
-            access_token = self.posit_oauth.get_credentials(self.user_identity)['access_token']
+            access_token = self.posit_oauth.get_credentials(self.user_session_token)['access_token']
             return {"Authorization": f"Bearer {access_token}"}
         return inner
 
@@ -44,7 +44,7 @@ def is_local() -> bool:
     return not os.getenv("RSTUDIO_PRODUCT") == "CONNECT"
 
 
-def viewer_credentials_provider(client: Optional[Client] = None, user_identity: Optional[str] = None) -> Optional[CredentialsProvider]:
+def viewer_credentials_provider(client: Optional[Client] = None, user_session_token: Optional[str] = None) -> Optional[CredentialsProvider]:
 
     # If the content is not running on Connect then viewer auth should
     # fall back to the locally configured credentials hierarchy
@@ -55,11 +55,11 @@ def viewer_credentials_provider(client: Optional[Client] = None, user_identity:
         client = Client()
 
     # If the user-identity-token wasn't provided and we're running on Connect then we raise an exception.
-    # user_identity is required to impersonate the viewer.
-    if user_identity is None:
-        raise ValueError("The user-identity-token is required for viewer authentication.")
+    # user_session_token is required to impersonate the viewer.
+    if user_session_token is None:
+        raise ValueError("The user-session-token is required for viewer authentication.")
 
-    return PositOAuthIntegrationCredentialsProvider(client.oauth, user_identity)
+    return PositOAuthIntegrationCredentialsProvider(client.oauth, user_session_token)
 
 
 def service_account_credentials_provider(client: Optional[Client] = None):

src/posit/connect/oauth.py

@@ -23,7 +23,7 @@ def __init__(
         self.session = session
 
 
-    def get_credentials(self, user_identity: Optional[str]=None) -> Credentials:
+    def get_credentials(self, user_session_token: Optional[str]=None) -> Credentials:
 
         # craft a basic credential exchange request where the self.config.api_key owner
         # is requesting their own credentials
@@ -34,9 +34,9 @@ def get_credentials(self, user_identity: Optional[str]=None) -> Credentials:
 
         # if this content is running on Connect, then it is allowed to request
         # the content viewer's credentials
-        if user_identity:
-            data["subject_token_type"] = "urn:posit:connect:user-identity-token"
-            data["subject_token"] = user_identity
+        if user_session_token:
+            data["subject_token_type"] = "urn:posit:connect:user-session-token"
+            data["subject_token"] = user_session_token
 
         response = self.session.post(self.url, data=data)
         return Credentials(**response.json())