Adds an OAuthIntegration

[dbkegley]

Adds a client.oauth resource for interacting the the v1/oauth/integrations/credentials endpoint to perform a token exchange with Connect.

[github-actions]

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines	Covered	Coverage	Threshold	Status
544	508	93%	80%	🟢

New Files

File	Coverage	Status
src/posit/connect/external/init.py	100%	🟢
src/posit/connect/external/databricks.py	0%	🟢
src/posit/connect/external/databricks_test.py	100%	🟢
src/posit/connect/oauth.py	100%	🟢
src/posit/connect/oauth_test.py	100%	🟢
TOTAL	80%	🟢

Modified Files

File	Coverage	Status
src/posit/connect/client.py	100%	🟢
src/posit/connect/client_test.py	100%	🟢
TOTAL	100%	🟢

updated for commit: ec35b17 by action🐍

[nealrichardson]

A few notes. LMK if you want to talk through using responses to set up some tests that stub out the server side.

[nealrichardson]

AFAICT there's nothing in OAuthIntegration that needs to be cached, so we just need to be able to access it here, as we do (now) for Users below.

Suggested change

	if self._oauth is None:
	self._oauth = OAuthIntegration(config=self.config, session=self.session)
	return self._oauth
	return OAuthIntegration(config=self.config, session=self.session)

[nealrichardson]

Does this need to return Response or can it return the response body or something? I don't see this being used anywhere yet, so I can't tell.

I think we're trying to avoid having the request/response details leaking outside of the get/put/post/etc. methods.

[zackverham]

for reference, here's the place it gets used:

posit-sdk-py/src/posit/connect/external/databricks.py

Line 35 in ad3dba8

access_token = self.posit_oauth.get_credentials(self.user_identity).json()['access_token']

So we could definitely make the return type more specific and not expose the response object.

[nealrichardson]

Ah sorry, I was using github's symbol lookup and it didn't find it, should have stuck with good ol' cmd-F.

Yeah in that case, I'd have this method return response.json()

[tdstein]

A defined type would be even better so that the consumer gets type hints.

@dataclass
class OAuthResponse:
    access_token: str

[atheriel]

With the expectation that this endpoint might eventually return something other than an access_token, I like the idea of returning a defined type.

[nealrichardson]

😭 it's 2024, we should start setting POSIT_PRODUCT in the env too, yeah?

[atheriel]

Can we use the presence of CONNECT_SERVER instead and sidestep branding issues?

[tdstein]

Should these abstract method's raise NotImplementedError()?

[dbkegley]

These are directly copied from the databricks client(s) so it's unclear if they are intentionally not raising an error

https://github.com/databricks/databricks-sdk-py/blob/525576073da90de0b98ff652ad5b6f2d2bb77871/databricks/sdk/credentials_provider.py#L30-L40
https://github.com/databricks/databricks-sql-python/blob/50489346440cdf9e547b597254643ee4ceb28c19/src/databricks/sql/auth/authenticators.py#L22-L33

[tdstein]

It looks like this is only being used src/posit/connect/external/databricks.py.

Should it be moved there?

This could also go in Config if there is reuse. But I'd rename it to something like run_mode, runtime_environment, etc.

[dbkegley]

Currently yes it's only used by the databricks module. I could see this being useful elsewhere though. No preference from me on where this lives

[tdstein]

👍🏻 Place it where it's used for now.

[tdstein]

What does usage of this file look like? I think the implementation can be reduced, but I'm not convinced since it seems dependent on the consuming code.

[dbkegley]

Here's our example from last weeks demo.

posit-sdk-py/connect-content/sample-content.py

Lines 27 to 30 in 62fcc8e

	with Client() as connect_client:
	credentials_provider = viewer_credentials_provider(
	connect_client.oauth, content_identity=CONTENT_IDENTITY)
	cfg = Config(host=DB_HOST_URL, credentials_provider=credentials_provider)

This usage has changed a little bit since then. In this PR we accept a client as an optional parameter so that the Content doesn't require a Connect server when running locally. The SDK client is initialized only when the content is running on Connect by default.

[tdstein]

Why not import https://github.com/databricks/databricks-sdk-py/blob/main/databricks/sdk/credentials_provider.py#L30 directly?

[dbkegley]

I wanted to avoid adding their SDK as a dependency. I'll test and see if we can remove this abstract definition altogether.

[tdstein]

Got it. See if you can utilize optional dependencies: https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#dependencies-optional-dependencies

[dbkegley]

Let's leave this for now. I think we will have a similar problem for our content types. It would be nice to provide helpers for each framework when obtaining the identity token from the headers but it will vary by content type.

[tdstein]

Is the value of user_identity ever something other than headers.get('Posit-Connect-Content-Identity')?

[dbkegley]

The value is always contained in a header called Posit-Connect-Content-Identity. But the method for obtaining the header value varies by content type:

https://docs.posit.co/connect/user/shiny/#user-meta-data
https://docs.posit.co/connect/user/flask/#user-meta-data

[nealrichardson]

I don't think CONNECT_SERVER is right here: that's what we recommend folks set locally in all of our API examples (e.g. https://docs.posit.co/connect/cookbook/).

I'd rather use the accurate variable even if it says RSTUDIO; we can fix that on the server going forward and (eventually) purge it here.