Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bring back "Bring-your-own-credentials" for OAuth2 authorization schemes #52084

Open
strunov opened this issue Jan 22, 2025 · 9 comments
Open

Bring back "Bring-your-own-credentials" for OAuth2 authorization schemes #52084

strunov opened this issue Jan 22, 2025 · 9 comments
Labels
area/oauth autoteam community team/use

Comments

@strunov
Copy link

strunov commented Jan 22, 2025

Topic

OAuth2 data sources

Relevant information

As of AirByte 1.4, it appears that all data sources that could be authorized using OAuth2, no longer allow you to manually enter an access_token/refresh_token.

Instead, they must be procured through the regular user OAuth2 flow.

Whilst this functionality is convenient for less technical users, and maintains the data source setup within the AirByte context, it is intrusive in other ways...

  1. it requires the AirByte instance to have a publicly accessible endpoint (/auth_flow).
  2. Some OAuth2 providers only allow one redirect (snapchat) and it cannot be changed without destroying the app and invalidating existing credentials (snapchat also)

It really makes no sense that we can no longer manually enter our access/refresh tokens which we've obtained by whichever workflows we already had...

Kindly consider.
@marcosmarxm
Copy link
Member

Issue reported in Community Slack

@marcosmarxm
Copy link
Member

@strunov, thank you for bringing the issue to our attention. The team is currently reviewing it and will get back to you with a proposal for a solution.

@natikgadzhi
Copy link
Contributor

@bazarnov @bnchrch I think we're working on docs for how to do OAuth2 for connectors this week, and if anything, we've expanded the flexibility of it, and you can still bring your own client_id, client_secret, and tokens?

@natikgadzhi
Copy link
Contributor

@strunov so a perfect solution would be to be able to choose between either providing the tokens directly, or providing client_id and secret, and going through the OAuth flow?

@strunov
Copy link
Author

strunov commented Jan 23, 2025

@strunov so a perfect solution would be to be able to choose between either providing the tokens directly, or providing client_id and secret, and going through the OAuth flow?

Yes, but just to clarify - in many cases one would require client_id & client_secret even with a refresh_token (as the token has to be exchanged for an access token, which is short lived)

Otherwise, yes, I think having both options is preferable

@bazarnov
Copy link
Collaborator

@natikgadzhi I believe there was a reason for not providing the access token option authentication, based on this PR manifest-only migration: #48375 cc @maxi297 Could you please share your thoughts about missing access token authentication for the source-snapchat-marketing?

Generally speaking, I agree that the best approach is to have Airbyte-Own OAuth Apps alongside the ability to switch to the Use my credentials toggle manually.

The current behavior for FE / UI is:

  • we now don't show these fields for the connectors that we cover by Airbyte-Own OAuth Apps because of the instance-wide credentials we have Airbyte-wide for this source, removing them will automatically reveal the missing fields providing the ability to use your own credentials. So we need a toggle-switch to control this, or maybe a FF to enable/disable the ability to provide your own credentials. cc @natikgadzhi @bnchrch @lmossman @chandlerprall

@bazarnov
Copy link
Collaborator

More information here in the Slack thread: https://airbytehq-team.slack.com/archives/C085DB1V57S/p1737583509789109

@chandlerprall
Copy link
Contributor

chandlerprall commented Jan 23, 2025
edited
Loading

So we need a toggle-switch to control this, or maybe a FF to enable/disable the ability to provide your own credentials

A toggle switch makes sense at the first pass, but thinking through:

  • on page load/refresh, which side of the toggle the should be shown?
  • we added the boolean to indicate if airbyte has an oauth app for a connector
    • we could change that out for a string value of the client id
      • but we want that secret so the sha-256 form
      • except rainbow tables, and any other approach client-side - such as salt - would be visible locally
    • the backend could compare the client ids, however, so maybe update the boolean to hold a trinary value: null (no airbyte creds), using airbyte creds, using user creds

@chandlerprall
Copy link
Contributor

it is intrusive in other ways...

it requires the AirByte instance to have a publicly accessible endpoint (/auth_flow).

This isn't blocking, as the redirect is done by the browser which can resolve the endpoint locally, over vpn, etc

The second point is very, very true; as is the fact that the UI now disagrees/competes with any existing configuration

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oauth autoteam community team/use
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@natikgadzhi @chandlerprall @marcosmarxm @bazarnov @octavia-squidington-iii @strunov