Skip to content

Add OAuth 2.0 access-token authentication for on-premises NoSQL#216

Open
rajdeep714 wants to merge 6 commits into
mainfrom
feature/OAuth
Open

Add OAuth 2.0 access-token authentication for on-premises NoSQL#216
rajdeep714 wants to merge 6 commits into
mainfrom
feature/OAuth

Conversation

@rajdeep714

Copy link
Copy Markdown
Member
  • Add OAuthAccessTokenProvider for exchanging an OCI IAM OAuth access token
    for a NoSQL login token through the HTTP proxy.
  • Let applications supply and refresh access tokens through
    getAccessTokenInfo().
  • Bind the handle to the KV-authenticated principal and reject login responses
    that omit the principal or switch identity without logout.
  • Automatically refresh before the earlier of the OAuth access-token expiry
    and NoSQL login-token expiry.
  • Retry a request once after an OAuth authentication failure and perform
    best-effort session cleanup when the provider closes.
  • Configure the provider from NoSQLHandleConfig and preserve existing
    on-premises request-size and rate-limiting behavior.

Reviewed by: Ashutosh, Xiao, Yang

Tests:

  • mvn -pl driver -Ptest-local
    -Dtest=OAuthAccessTokenProviderTest,AuthRetryTest test
  • 11 tests passed.

Dependencies:

  • Requires the corresponding HTTP proxy OAuth endpoints and KV OAuth support.

Files (Added / Modified / Deleted):

M driver/pom.xml

  • Adds OAuthAccessTokenProviderTest to the local driver test profile.

M driver/src/main/java/oracle/nosql/driver/http/Client.java

  • Treats OAuthAccessTokenProvider as an on-premises provider for rate limiting
    and request-size enforcement. Flushes its cached login token and retries once
    after AuthenticationException, while preventing repeated retries.

M driver/src/main/java/oracle/nosql/driver/http/NoSQLHandleImpl.java

  • Initializes OAuthAccessTokenProvider with the handle logger, normalized proxy
    endpoint, SSL context, and handshake timeout. Reuses the endpoint preparation
    logic with StoreAccessTokenProvider.

A driver/src/main/java/oracle/nosql/driver/kv/OAuthAccessTokenProvider.java

  • Implements the OAuth access-token callback and HTTPS login exchange. Caches
    the returned NoSQL login token and authenticated principal, refreshes before
    the earlier token expiry, rejects principal changes, and performs best-effort
    cleanup of rejected or closed sessions.

M driver/src/test/java/oracle/nosql/driver/iam/AuthRetryTest.java

  • Verifies that OAuth authentication failures cause one cache flush and one
    retry, with the second failure returned immediately.

A driver/src/test/java/oracle/nosql/driver/kv/OAuthAccessTokenProviderTest.java

  • Covers login, request timeout propagation, automatic refresh, disabled
    renewal, login-token expiry, refresh failure, cache invalidation, principal
    validation, identity changes, missing principals, and logout on close.

Schedule reauthentication using the earlier of the OAuth access-token expiry and the NoSQL login-token expiry returned by the proxy. Preserve the current login session when proactive refresh fails and use the request timeout for request-driven login.

Add regression coverage for shorter KV sessions, failed refresh callbacks, and OAuth login timeouts.
@rajdeep714 rajdeep714 requested review from xiaoy-nosql and yfei-a July 9, 2026 11:21
@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant