AWS Redshift single sign-on to Azure Active Directory with jdbc.

dczarny commented 2 years ago

System information:

Operating system (distribution) and version - Windows 10 21H1
DBeaver version - 22.1.0
Additional extensions

Connection specification:

Database name and version - Redshift current
Driver name - amazon jdbc 2.1.0.7
Do you use tunnels or proxies (SSH, SOCKS, etc)? no

Describe the problem you're observing:

https://aws.amazon.com/blogs/big-data/integrate-amazon-redshift-native-idp-federation-with-microsoft-azure-ad-using-a-sql-client/

I followed this article to create a single sign-on from Azure Active Directory to my AWS Redshift instance. When using DBeaver to connect to the instance, I get the popup window that says "Thank you for using Amazon Redshift, you can close this window." Here is where the bug happens. If I do nothing, a second browser tab opens up and gives a generic error saying page cannot be displayed. I have tested this same process in SQL Workbench /j as according to the article, and did not experience this error. You then get this error in dbeaver:

JWT error: com.amazon.redshift.plugin.InternalPluginException: Fail to login during timeout. com.amazon.redshift.plugin.InternalPluginException: Fail to login during timeout. com.amazon.redshift.plugin.InternalPluginException: Fail to login during timeout. Fail to login during timeout. Fail to login during timeout.

Here is the weird thing, if you close the browser window right away after you get the thank you message, you get connected to the redshift instance without a problem.

Steps to reproduce, if exist:

Include any warning/errors/backtraces from the logs

Here is the section of the log when you close the browser tab and you can connect successfully:

Jun 08 09:55:06.396 DEBUG [53 Redshift JDBC driver connection thread] com.amazon.redshift.core.NativeAuthPluginHelper.getNativeAuthPluginCredentials: Calling provider.getCredentials() Jun 08 09:55:06.396 INFO [53 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.JwtCredentialsProvider.getCredentials: JWT getCredentials NOT from cache Jun 08 09:55:06.397 DEBUG [53 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.fetchAuthorizationToken: Listening for connection on port 7890 Jun 08 09:55:06.411 DEBUG [53 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.openBrowser: Authorization code request URI: https://login.microsoftonline.com/9999999-dad6-4a68-8c0d-9999999/oauth2/v2.0/authorize?scope=openid+api%3A%2F%2F53f89cb2-d00b-4b76-b18a-9999999%2Fjdbc_login&response_type=code&response_mode=form_post&client_id=9999999-1f3a-4b54-b453-9999999&redirect_uri=http%3A%2F%2Flocalhost%3A7890%2Fredshift%2F&state=wihyrzxeie Jun 08 09:55:07.317 DEBUG [53 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.fetchAuthorizationToken: result: 0.ASkAwqoMp9baaEqMDXGOhKCcft6IycY6H1RLtFPDGXSrDRYpADc.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9Pkb-OTMckwQiTpHvDunbYZTibPH96cpeYSXR5M4QhZoMbJ3o- .... w4r0fLFABTID54h2OWTYTXPcTyMAQ Jun 08 09:55:07.318 DEBUG [53 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.fetchAuthorizationToken: Got JWT assertion Jun 08 09:55:07.319 DEBUG [53 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.createAuthorizationRequest: Request token URI:

Here is the section of the log, if you don't interrupt the process and you fail to connect:

Jun 08 09:54:47.546 DEBUG [50 Redshift JDBC driver connection thread] com.amazon.redshift.core.NativeAuthPluginHelper.getNativeAuthPluginCredentials: IDP Credential Provider com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider@7eda7aa7:com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider Jun 08 09:54:47.546 DEBUG [50 Redshift JDBC driver connection thread] com.amazon.redshift.core.NativeAuthPluginHelper.getNativeAuthPluginCredentials: Calling provider.getCredentials() Jun 08 09:54:47.546 INFO [50 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.JwtCredentialsProvider.getCredentials: JWT getCredentials NOT from cache Jun 08 09:54:47.547 DEBUG [50 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.fetchAuthorizationToken: Listening for connection on port 7890 Jun 08 09:54:47.562 DEBUG [50 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.openBrowser: Authorization code request URI: https://login.microsoftonline.com/9999999-dad6-4a68-8c0d-9999999/oauth2/v2.0/authorize?scope=openid+api%3A%2F%29999999-d00b-4b76-b18a-9999999%2Fjdbc_login&response_type=code&response_mode=form_post&client_id=c6c988de-1f3a-4b54-b453-c31974ab0d16&redirect_uri=http%3A%2F%2Flocalhost%3A7890%2Fredshift%2F&state=cnwbpancer Jun 08 09:54:47.611 DEBUG [50 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.fetchAuthorizationToken: result: null Jun 08 09:54:47.612 ERROR [50 Redshift JDBC driver connection thread] com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.getJwtAssertion: com.amazon.redshift.plugin.InternalPluginException: Fail to login during timeout. at com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.fetchAuthorizationToken(BrowserAzureOAuth2CredentialsProvider.java:339) at com.amazon.redshift.plugin.BrowserAzureOAuth2CredentialsProvider.getJwtAssertion(BrowserAzureOAuth2CredentialsProvider.java:186) at com.amazon.redshift.plugin.JwtCredentialsProvider.refresh(JwtCredentialsProvider.java:183) at com.amazon.redshift.plugin.JwtCredentialsProvider.getCredentials(JwtCredentialsProvider.java:143) at com.amazon.redshift.core.NativeAuthPluginHelper.getNativeAuthPluginCredentials(NativeAuthPluginHelper.java:142) at com.amazon.redshift.core.NativeAuthPluginHelper.setNativeAuthPluginProperties(NativeAuthPluginHelper.java:53) at com.amazon.redshift.jdbc.RedshiftConnectionImpl.(RedshiftConnectionImpl.java:304) at com.amazon.redshift.Driver.makeConnection(Driver.java:499) at com.amazon.redshift.Driver.access$100(Driver.java:65) at com.amazon.redshift.Driver$ConnectThread.run(Driver.java:408) at java.base/java.lang.Thread.run(Unknown Source)

emironovDB commented 2 years ago

Hello, @dczarny ! Thanks for your request.

We already support SSO in our PRO-version app. I mean this application Ultimate Edition and other paid products. For more information about it, you can visit this page with comparison DBeaver products. We are going to add integration with Azure Active Directory too in this paid products.

We do not plan to add this functionality to Community Edition.

dczarny commented 2 years ago

Thank you. I was just following aws documentation, and didn't see that. I appreciate the response.

Thank you, Derek Czarny

From: Eugene Mironov @.> Sent: Tuesday, June 21, 2022 5:29:05 AM To: dbeaver/dbeaver @.> Cc: dczarny @.>; Mention @.> Subject: Re: [dbeaver/dbeaver] AWS Redshift single sign-on to Azure Active Directory with jdbc. (Issue #16762)

Hello, @dczarnyhttps://github.com/dczarny ! Thanks for your request.

We already support SSO in our PRO-version app. I mean this application Ultimate Editionhttps://dbeaver.com/download/ultimate/ and other paid products. For more information about it, you can visit this page with comparison DBeaver productshttps://dbeaver.com/edition/. We are going to add integration with Azure Active Directory too in this paid products.

We do not plan to add this functionality to Community Edition.

— Reply to this email directly, view it on GitHubhttps://github.com/dbeaver/dbeaver/issues/16762#issuecomment-1161561427, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFOU24T5X5HI7AZ67WQEP73VQGKPDANCNFSM5YJ32LWQ. You are receiving this because you were mentioned.Message ID: @.***>

dbeaver / dbeaver