Open sugibuchi opened 2 weeks ago
As far as I understand even if the token is refreshed any already running queries would still fail? If so we should make it clear once we add the functionality you propose.
Also since you seem to have an idea of how to implement this already would you like to send a PR? The proposal looks good so far.
And also once we have this implemented we can think of changing https://github.com/trinodb/trino-python-client/pull/462 to align with whatever "interface" we come up with for this issue.
I just noticed I forgot to tag you @sugibuchi. Wanted to check if you're still willing to send a PR for this since it seems you have some ideas already.
@hashhar
Thank you very much for your comment.
I checked the source code of the Trino server. JWT tokens received by the Trino server are parsed and verified (including an expiration check) in JwtAuthenticator
. However, claims in the parsed JWT tokens, including expiration time, are not exposed outside JwtAuthenticator
except for user identities.
Therefore,
As far as I understand even if the token is refreshed any already running queries would still fail?
This cannot happen as the expiration time written in JWT tokens is not used after the authentication in JwtAuthenticator
. Already running queries are supposed to continue after the token expires.
Also since you seem to have an idea of how to implement this already would you like to send a PR?
Yes. I can prepare a PR for this change.
Describe the feature
Extend
JWTAuthentication
to support both static JWT tokens and JWT tokens dynamically produced by given Callable objects.This extension aims to refresh JWT tokens in
JWTAuthentication
.Context
We are currently trying to use JWT access tokens issued by Azure Entra ID (aka. Azure Active Directory) to authenticate clients (more precisely, DBT workflows running in Azure) accessing our Trino.
Retrieving access tokens from Entra ID is a straightforward process. We can accomplish this by using the
TokenCredential
implementations provided by theazure-identity
package. For instance,A problem here is that there is no way to refresh tokens set to
JWTAuthentication
as the current version ofJWTAuthentication
accepts only a static token, and sets the token torequests.Session
objects as a static auth header value.For example, JWT tokens issued by Entra ID usually expire within 1 hour or less. Therefore, an application using
JWTAuthentication
will fail at a certain moment due to the expiration of access tokens unless the application frequently recreates theJWTAuthentication
instance with a new token.Proposal
Extend
JWTAuthentication
to accept both a static JWT token and aCallable
object as the init argument.https://github.com/trinodb/trino-python-client/blob/0.328.0/trino/auth.py#L146-L153
We also need to extend
_BearerAuth
. https://github.com/trinodb/trino-python-client/blob/0.328.0/trino/auth.py#L142With this extension, we can rewrite the sample code above as follows:
This code won't fail as the
credential
(DefaultAzureCredential
) will automatically cache and refresh access tokens.Describe alternatives you've considered
We have implemented a custom
JWTAuthentication
with this extension by ourselves. However, JWT token refresh is a common concern that can appear in various use case scenarios. It would be nice to have this extension as a part of the Trino Python client.Are you willing to submit PR?