Merge pull request #1228 from tableau/jkoskela/oauth-updates-3.24

Update OAuth examples

samples/components/oauth/athena.okta.xml

@@ -1,7 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <pluginOAuthConfig>
   <dbclass>athena</dbclass>
+  <!-- For external configs, prefix with "custom_".  -->
+  <!-- For configs embedded in the connector package, don't prefix with "custom_".  -->
   <oauthConfigId>custom_athena_okta</oauthConfigId>
+  <!-- Config label added in 2023.2. Avoid if backwards compatibility is needed. -->
+  <configLabel>Okta</configLabel>
   <clientIdDesktop>$clientID</clientIdDesktop>
   <clientSecretDesktop>$clientSecret</clientSecretDesktop>
   <redirectUrisDesktop>http://localhost:55556/Callback</redirectUrisDesktop>
@@ -33,7 +37,7 @@
     </entry>
     <entry>
       <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>
-      <value>true</value>
+      <value>false</value>
     </entry>
     <entry>
       <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>

samples/components/oauth/redshift.azure.iam-idc.xml

@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="utf-8"?>
+<pluginOAuthConfig>
+  <dbclass>redshift</dbclass>
+  <!-- For configs embedded in the connector package, don't prefix with "custom_". For external configs, always prefix with "custom_". -->
+  <oauthConfigId>custom_redshift_azure_iam_idc</oauthConfigId>
+  <clientIdDesktop>${clientID}</clientIdDesktop>
+  <clientSecretDesktop>${clientSecret}</clientSecretDesktop>
+  <redirectUrisDesktop>http://localhost:55556/Callback</redirectUrisDesktop>
+  <redirectUrisDesktop>http://localhost:55557/Callback</redirectUrisDesktop>
+  <redirectUrisDesktop>http://localhost:55558/Callback</redirectUrisDesktop>
+  <redirectUrisDesktop>http://localhost:55559/Callback</redirectUrisDesktop>
+  <!-- For multitenant apps use the common endpoint, for single tenant apps use the directory specific endpoint. -->
+  <authUri>https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize</authUri>
+  <tokenUri>https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token</tokenUri>
+  <scopes>openid</scopes>
+  <scopes>offline_access</scopes>
+  <scopes>email</scopes>
+  <!-- An example with a custom API, which was required at the time of writing for integration with AWS IAM IDC. -->
+  <scopes>api://${customAPI}/Redshift</scopes>
+  <capabilities>
+    <entry>
+      <key>OAUTH_CAP_REQUIRES_PROMPT_SELECT_ACCOUNT</key>
+      <value>true</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_REQUIRE_PKCE</key>
+      <value>true</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_PKCE_REQUIRES_CODE_CHALLENGE_METHOD</key>
+      <value>true</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_SUPPORTS_STATE</key>
+      <value>true</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>
+      <value>false</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>
+      <value>true</value>
+    </entry>
+    <!-- Depending on the Azure application, dynamic ports may not be allowed. Enable this if not allowed. -->
+    <entry>
+      <key>OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL</key>
+      <value>true</value>
+    </entry>
+  </capabilities>
+  <accessTokenResponseMaps>
+    <entry>
+      <key>ACCESSTOKEN</key>
+      <value>access_token</value>
+    </entry>
+    <entry>
+      <key>REFRESHTOKEN</key>
+      <value>refresh_token</value>
+    </entry>
+    <entry>
+      <key>access-token-issue-time</key>
+      <value>issued_at</value>
+    </entry>
+    <entry>
+      <key>id-token</key>
+      <value>id_token</value>
+    </entry>
+    <entry>
+      <key>username</key>
+      <value>email</value>
+    </entry>
+    <entry>
+      <key>access-token-expires-in</key>
+      <value>expires_in</value>
+    </entry>
+  </accessTokenResponseMaps>
+ </pluginOAuthConfig>

samples/components/oauth/redshift.azure.xml

@@ -1,20 +1,25 @@
 <?xml version="1.0" encoding="utf-8"?>
 <pluginOAuthConfig>
   <dbclass>redshift</dbclass>
+  <!-- For external configs, prefix with "custom_".  -->
+  <!-- For configs embedded in the connector package, don't prefix with "custom_".  -->
   <oauthConfigId>custom_redshift_azure</oauthConfigId>
+  <!-- Config label added in 2023.2. Avoid if backwards compatibility is needed. -->
+  <configLabel>Azure</configLabel>
   <clientIdDesktop>$clientID</clientIdDesktop>
   <clientSecretDesktop>$clientSecret</clientSecretDesktop>
   <redirectUrisDesktop>http://localhost:55556/Callback</redirectUrisDesktop>
   <redirectUrisDesktop>http://localhost:55557/Callback</redirectUrisDesktop>
   <redirectUrisDesktop>http://localhost:55558/Callback</redirectUrisDesktop>
   <redirectUrisDesktop>http://localhost:55559/Callback</redirectUrisDesktop>
-  <authUri>https://${msUrlBegin}/oauth2/v2.0/authorize</authUri>
-  <tokenUri>https://${msUrlBegin}/oauth2/v2.0/token</tokenUri>
+  <!-- For multitenant apps use the common endpoint, for single tenant apps use the directory specific endpoint. -->
+  <authUri>https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize</authUri>
+  <tokenUri>https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token</tokenUri>
   <scopes>openid</scopes>
   <scopes>email</scopes>
+  <!-- profile scope needed for preferred_username -->
   <scopes>profile</scopes>
   <scopes>offline_access</scopes>
-  <scopes></scopes>
   <capabilities>
     <entry>
       <key>OAUTH_CAP_REQUIRES_PROMPT_SELECT_ACCOUNT</key>
@@ -40,6 +45,11 @@
       <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>
       <value>true</value>
     </entry>
+    <!-- Depending on the Azure application, dynamic ports may not be allowed. Enable this if not allowed. -->
+    <entry>
+      <key>OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL</key>
+      <value>false</value>
+    </entry>
   </capabilities>
   <accessTokenResponseMaps>
     <entry>
@@ -62,6 +72,8 @@
       <key>id-token</key>
       <value>id_token</value>
     </entry>
+    <!-- preferred_username only available in Azure v2 tokens. If using v1 tokens use email instead.  -->
+    <!-- https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims -->
     <entry>
       <key>username</key>
       <value>preferred_username</value>