From 8e3a86542a805b210113d0aacf2f98d5e1731899 Mon Sep 17 00:00:00 2001 From: David Kegley Date: Tue, 27 Feb 2024 12:04:34 -0500 Subject: [PATCH] Use user-session-token instead of content-identity-token --- examples/connect/databricks/sample-content.py | 8 ++++---- src/posit/connect/external/databricks.py | 18 +++++++++--------- src/posit/connect/oauth.py | 8 ++++---- src/posit/connect/oauth_test.py | 2 +- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/examples/connect/databricks/sample-content.py b/examples/connect/databricks/sample-content.py index 1a440dcb..3620bbc7 100644 --- a/examples/connect/databricks/sample-content.py +++ b/examples/connect/databricks/sample-content.py @@ -18,14 +18,14 @@ DB_HOST_URL = f"https://{DB_HOST}" SQL_HTTP_PATH=os.getenv("SQL_HTTP_PATH") -USER_IDENTITY = None +USER_SESSION_TOKEN = None -# Read the viewer's individual content identity token from the streamlit ws header. +# Read the viewer's user session token from the streamlit ws header. headers = _get_websocket_headers() if headers: - USER_IDENTITY = headers.get('Posit-Connect-User-Identity') + USER_SESSION_TOKEN = headers.get('Posit-Connect-User-Session') -credentials_provider = viewer_credentials_provider(user_identity=USER_IDENTITY) +credentials_provider = viewer_credentials_provider(user_session_token=USER_SESSION_TOKEN) cfg = Config(host=DB_HOST_URL, credentials_provider=credentials_provider) #cfg = Config(host=DB_HOST_URL, token=DB_PAT) diff --git a/src/posit/connect/external/databricks.py b/src/posit/connect/external/databricks.py index ab634fc6..cce1a81d 100644 --- a/src/posit/connect/external/databricks.py +++ b/src/posit/connect/external/databricks.py @@ -24,16 +24,16 @@ def __call__(self, *args, **kwargs) -> HeaderFactory: class PositOAuthIntegrationCredentialsProvider(CredentialsProvider): - def __init__(self, posit_oauth: OAuthIntegration, user_identity: str): + def __init__(self, posit_oauth: OAuthIntegration, user_session_token: str): self.posit_oauth = posit_oauth - self.user_identity = user_identity + self.user_session_token = user_session_token def auth_type(self) -> str: return "posit-oauth-integration" def __call__(self, *args, **kwargs) -> HeaderFactory: def inner() -> Dict[str, str]: - access_token = self.posit_oauth.get_credentials(self.user_identity)['access_token'] + access_token = self.posit_oauth.get_credentials(self.user_session_token)['access_token'] return {"Authorization": f"Bearer {access_token}"} return inner @@ -44,7 +44,7 @@ def is_local() -> bool: return not os.getenv("RSTUDIO_PRODUCT") == "CONNECT" -def viewer_credentials_provider(client: Optional[Client] = None, user_identity: Optional[str] = None) -> Optional[CredentialsProvider]: +def viewer_credentials_provider(client: Optional[Client] = None, user_session_token: Optional[str] = None) -> Optional[CredentialsProvider]: # If the content is not running on Connect then viewer auth should # fall back to the locally configured credentials hierarchy @@ -54,12 +54,12 @@ def viewer_credentials_provider(client: Optional[Client] = None, user_identity: if client is None: client = Client() - # If the user-identity-token wasn't provided and we're running on Connect then we raise an exception. - # user_identity is required to impersonate the viewer. - if user_identity is None: - raise ValueError("The user-identity-token is required for viewer authentication.") + # If the user-session-token wasn't provided and we're running on Connect then we raise an exception. + # user_session_token is required to impersonate the viewer. + if user_session_token is None: + raise ValueError("The user-session-token is required for viewer authentication.") - return PositOAuthIntegrationCredentialsProvider(client.oauth, user_identity) + return PositOAuthIntegrationCredentialsProvider(client.oauth, user_session_token) def service_account_credentials_provider(client: Optional[Client] = None): diff --git a/src/posit/connect/oauth.py b/src/posit/connect/oauth.py index f6ddfc54..9fecdb40 100644 --- a/src/posit/connect/oauth.py +++ b/src/posit/connect/oauth.py @@ -23,7 +23,7 @@ def __init__( self.session = session - def get_credentials(self, user_identity: Optional[str]=None) -> Credentials: + def get_credentials(self, user_session_token: Optional[str]=None) -> Credentials: # craft a basic credential exchange request where the self.config.api_key owner # is requesting their own credentials @@ -34,9 +34,9 @@ def get_credentials(self, user_identity: Optional[str]=None) -> Credentials: # if this content is running on Connect, then it is allowed to request # the content viewer's credentials - if user_identity: - data["subject_token_type"] = "urn:posit:connect:user-identity-token" - data["subject_token"] = user_identity + if user_session_token: + data["subject_token_type"] = "urn:posit:connect:user-session-token" + data["subject_token"] = user_session_token response = self.session.post(self.url, data=data) return Credentials(**response.json()) diff --git a/src/posit/connect/oauth_test.py b/src/posit/connect/oauth_test.py index ca721351..f81389b3 100644 --- a/src/posit/connect/oauth_test.py +++ b/src/posit/connect/oauth_test.py @@ -12,7 +12,7 @@ def test_get_credentials(self): responses.matchers.urlencoded_params_matcher( { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", - "subject_token_type": "urn:posit:connect:user-identity-token", + "subject_token_type": "urn:posit:connect:user-session-token", "subject_token": "cit", } )