From 6a9f145f03bf56870355b13c5d9e379099254a89 Mon Sep 17 00:00:00 2001
From: Jade Koskela <jkoskeladev@gmail.com>
Date: Tue, 26 Mar 2024 11:34:25 -0700
Subject: [PATCH 1/5] Update OAuth examples

---
 samples/components/oauth/athena.okta.xml      |  8 +-
 .../oauth/redshift.azure.iam-idc.xml          | 73 +++++++++++++++++++
 samples/components/oauth/redshift.azure.xml   | 24 +++---
 3 files changed, 93 insertions(+), 12 deletions(-)
 create mode 100644 samples/components/oauth/redshift.azure.iam-idc.xml

diff --git a/samples/components/oauth/athena.okta.xml b/samples/components/oauth/athena.okta.xml
index 4aa7244a..e562d614 100644
--- a/samples/components/oauth/athena.okta.xml
+++ b/samples/components/oauth/athena.okta.xml
@@ -1,7 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <pluginOAuthConfig>
   <dbclass>athena</dbclass>
+  <!-- For external configs, prefix with "custom_".  -->
+  <!-- For configs embedded in the connector package, don't prefix with "custom_".  -->
   <oauthConfigId>custom_athena_okta</oauthConfigId>
+  <!-- Config label added in 2023.2. Avoid if backwards compatibility is needed. -->
+  <configLabel>Okta</configLabel>
   <clientIdDesktop>$clientID</clientIdDesktop>
   <clientSecretDesktop>$clientSecret</clientSecretDesktop>
   <redirectUrisDesktop>http://localhost:55556/Callback</redirectUrisDesktop>
@@ -33,7 +37,7 @@
     </entry>
     <entry>
       <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>
-      <value>true</value>
+      <value>false</value>
     </entry>
     <entry>
       <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>
@@ -63,7 +67,7 @@
     </entry>
     <entry>
       <key>username</key>
-      <value>preferred_username</value>
+      <value>email</value>
     </entry>
   </accessTokenResponseMaps>
 </pluginOAuthConfig>
\ No newline at end of file
diff --git a/samples/components/oauth/redshift.azure.iam-idc.xml b/samples/components/oauth/redshift.azure.iam-idc.xml
new file mode 100644
index 00000000..3cf36199
--- /dev/null
+++ b/samples/components/oauth/redshift.azure.iam-idc.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="utf-8"?>
+<pluginOAuthConfig>
+  <dbclass>redshift</dbclass>
+  <!-- For configs embedded in the connector package, don't prefix with "custom_". For external configs, always prefix with "custom_". -->
+  <oauthConfigId>custom_redshift_azure_iam_idc</oauthConfigId>
+  <clientIdDesktop>${clientID}</clientIdDesktop>
+  <clientSecretDesktop>${clientSecret}</clientSecretDesktop>
+  <redirectUrisDesktop>http://localhost:55556/Callback</redirectUrisDesktop>
+  <redirectUrisDesktop>http://localhost:55557/Callback</redirectUrisDesktop>
+  <redirectUrisDesktop>http://localhost:55558/Callback</redirectUrisDesktop>
+  <redirectUrisDesktop>http://localhost:55559/Callback</redirectUrisDesktop>
+  <!-- For multitenant apps use the common endpoint, for single tenant apps use the directory specific endpoint. -->
+  <authUri>https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize</authUri>
+  <tokenUri>https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token</tokenUri>
+  <scopes>openid</scopes>
+  <scopes>offline_access</scopes>
+  <scopes>email</scopes>
+  <!-- An example with a custom API, which was required at the time of writing for integration with AWS IAM IDC. -->
+  <scopes>api://${customAPI}/Redshift</scopes>
+  <capabilities>
+    <entry>
+      <key>OAUTH_CAP_REQUIRES_PROMPT_SELECT_ACCOUNT</key>
+      <value>true</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_REQUIRE_PKCE</key>
+      <value>true</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_PKCE_REQUIRES_CODE_CHALLENGE_METHOD</key>
+      <value>true</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_SUPPORTS_STATE</key>
+      <value>true</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>
+      <value>true</value>
+    </entry>
+    <entry>
+      <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>
+      <value>true</value>
+    </entry>
+    <!-- Depending on the Azure application, dynamic ports may not be allowed. Enable this if not allowed. -->
+    <entry>
+      <key>OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL</key>
+      <value>true</value>
+    </entry>
+  </capabilities>
+  <accessTokenResponseMaps>
+    <entry>
+      <key>ACCESSTOKEN</key>
+      <value>access_token</value>
+    </entry>
+    <entry>
+      <key>REFRESHTOKEN</key>
+      <value>refresh_token</value>
+    </entry>
+    <entry>
+      <key>id-token</key>
+      <value>id_token</value>
+    </entry>
+    <entry>
+      <key>username</key>
+      <value>email</value>
+    </entry>
+    <entry>
+      <key>access-token-expires-in</key>
+      <value>expires_in</value>
+    </entry>
+  </accessTokenResponseMaps>
+ </pluginOAuthConfig>
\ No newline at end of file
diff --git a/samples/components/oauth/redshift.azure.xml b/samples/components/oauth/redshift.azure.xml
index b66aed9c..b3a41bd4 100644
--- a/samples/components/oauth/redshift.azure.xml
+++ b/samples/components/oauth/redshift.azure.xml
@@ -1,20 +1,23 @@
 <?xml version="1.0" encoding="utf-8"?>
 <pluginOAuthConfig>
   <dbclass>redshift</dbclass>
+  <!-- For external configs, prefix with "custom_".  -->
+  <!-- For configs embedded in the connector package, don't prefix with "custom_".  -->
   <oauthConfigId>custom_redshift_azure</oauthConfigId>
+  <!-- Config label added in 2023.2. Avoid if backwards compatibility is needed. -->
+  <configLabel>Azure</configLabel>
   <clientIdDesktop>$clientID</clientIdDesktop>
   <clientSecretDesktop>$clientSecret</clientSecretDesktop>
   <redirectUrisDesktop>http://localhost:55556/Callback</redirectUrisDesktop>
   <redirectUrisDesktop>http://localhost:55557/Callback</redirectUrisDesktop>
   <redirectUrisDesktop>http://localhost:55558/Callback</redirectUrisDesktop>
   <redirectUrisDesktop>http://localhost:55559/Callback</redirectUrisDesktop>
-  <authUri>https://${msUrlBegin}/oauth2/v2.0/authorize</authUri>
-  <tokenUri>https://${msUrlBegin}/oauth2/v2.0/token</tokenUri>
+  <!-- For multitenant apps use the common endpoint, for single tenant apps use the directory specific endpoint. -->
+  <authUri>https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize</authUri>
+  <tokenUri>https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token</tokenUri>
   <scopes>openid</scopes>
   <scopes>email</scopes>
-  <scopes>profile</scopes>
   <scopes>offline_access</scopes>
-  <scopes></scopes>
   <capabilities>
     <entry>
       <key>OAUTH_CAP_REQUIRES_PROMPT_SELECT_ACCOUNT</key>
@@ -34,12 +37,17 @@
     </entry>
     <entry>
       <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>
-      <value>true</value>
+      <value>false</value>
     </entry>
     <entry>
       <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>
       <value>true</value>
     </entry>
+    <!-- Depending on the Azure application, dynamic ports may not be allowed. Enable this if not allowed. -->
+    <entry>
+      <key>OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL</key>
+      <value>false</value>
+    </entry>
   </capabilities>
   <accessTokenResponseMaps>
     <entry>
@@ -50,10 +58,6 @@
       <key>REFRESHTOKEN</key>
       <value>refresh_token</value>
     </entry>
-    <entry>
-      <key>access-token-issue-time</key>
-      <value>issued_at</value>
-    </entry>
     <entry>
       <key>access-token-expires-in</key>
       <value>expires_in</value>
@@ -64,7 +68,7 @@
     </entry>
     <entry>
       <key>username</key>
-      <value>preferred_username</value>
+      <value>email</value>
     </entry>
   </accessTokenResponseMaps>
  </pluginOAuthConfig>

From 00b79e82535ce25eb5f2c5726f1041851c5dee40 Mon Sep 17 00:00:00 2001
From: Jade Koskela <jkoskeladev@gmail.com>
Date: Tue, 26 Mar 2024 13:19:12 -0700
Subject: [PATCH 2/5] Switch back to preferred_username for first azure example

---
 samples/components/oauth/redshift.azure.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/samples/components/oauth/redshift.azure.xml b/samples/components/oauth/redshift.azure.xml
index b3a41bd4..c8668b9e 100644
--- a/samples/components/oauth/redshift.azure.xml
+++ b/samples/components/oauth/redshift.azure.xml
@@ -66,9 +66,11 @@
       <key>id-token</key>
       <value>id_token</value>
     </entry>
+    <!-- preferred_username only available in Azure v2 tokens. If using v1 tokens use email instead.  -->
+    <!-- https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims -->
     <entry>
       <key>username</key>
-      <value>email</value>
+      <value>preferred_username</value>
     </entry>
   </accessTokenResponseMaps>
  </pluginOAuthConfig>

From 9bd9a46bfed48270201aae5aed0e361264303a32 Mon Sep 17 00:00:00 2001
From: Jade Koskela <jkoskeladev@gmail.com>
Date: Tue, 26 Mar 2024 13:41:46 -0700
Subject: [PATCH 3/5] Add issued-at back

---
 samples/components/oauth/redshift.azure.iam-idc.xml | 4 ++++
 samples/components/oauth/redshift.azure.xml         | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/samples/components/oauth/redshift.azure.iam-idc.xml b/samples/components/oauth/redshift.azure.iam-idc.xml
index 3cf36199..a6293a0e 100644
--- a/samples/components/oauth/redshift.azure.iam-idc.xml
+++ b/samples/components/oauth/redshift.azure.iam-idc.xml
@@ -57,6 +57,10 @@
       <key>REFRESHTOKEN</key>
       <value>refresh_token</value>
     </entry>
+    <entry>
+      <key>access-token-issue-time</key>
+      <value>issued_at</value>
+    </entry>
     <entry>
       <key>id-token</key>
       <value>id_token</value>
diff --git a/samples/components/oauth/redshift.azure.xml b/samples/components/oauth/redshift.azure.xml
index c8668b9e..10099c3c 100644
--- a/samples/components/oauth/redshift.azure.xml
+++ b/samples/components/oauth/redshift.azure.xml
@@ -58,6 +58,10 @@
       <key>REFRESHTOKEN</key>
       <value>refresh_token</value>
     </entry>
+    <entry>
+      <key>access-token-issue-time</key>
+      <value>issued_at</value>
+    </entry>
     <entry>
       <key>access-token-expires-in</key>
       <value>expires_in</value>

From c77424bd30156bedbb51c12fee6cf85d10d49417 Mon Sep 17 00:00:00 2001
From: Jade Koskela <jkoskeladev@gmail.com>
Date: Tue, 26 Mar 2024 13:46:12 -0700
Subject: [PATCH 4/5] Address comments

---
 samples/components/oauth/athena.okta.xml    | 2 +-
 samples/components/oauth/redshift.azure.xml | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/samples/components/oauth/athena.okta.xml b/samples/components/oauth/athena.okta.xml
index e562d614..16ef7edc 100644
--- a/samples/components/oauth/athena.okta.xml
+++ b/samples/components/oauth/athena.okta.xml
@@ -67,7 +67,7 @@
     </entry>
     <entry>
       <key>username</key>
-      <value>email</value>
+      <value>preferred_username</value>
     </entry>
   </accessTokenResponseMaps>
 </pluginOAuthConfig>
\ No newline at end of file
diff --git a/samples/components/oauth/redshift.azure.xml b/samples/components/oauth/redshift.azure.xml
index 10099c3c..9b7887d1 100644
--- a/samples/components/oauth/redshift.azure.xml
+++ b/samples/components/oauth/redshift.azure.xml
@@ -17,6 +17,8 @@
   <tokenUri>https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token</tokenUri>
   <scopes>openid</scopes>
   <scopes>email</scopes>
+  <!-- profile scope needed for preferred_username -->
+  <scopes>profile</scopes>
   <scopes>offline_access</scopes>
   <capabilities>
     <entry>

From 1590ba1f591e6e08063256f60bed75ffb2d1d8cd Mon Sep 17 00:00:00 2001
From: Jade Koskela <jkoskeladev@gmail.com>
Date: Tue, 26 Mar 2024 13:58:21 -0700
Subject: [PATCH 5/5] Minor changes

---
 samples/components/oauth/redshift.azure.iam-idc.xml | 2 +-
 samples/components/oauth/redshift.azure.xml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/samples/components/oauth/redshift.azure.iam-idc.xml b/samples/components/oauth/redshift.azure.iam-idc.xml
index a6293a0e..9631021e 100644
--- a/samples/components/oauth/redshift.azure.iam-idc.xml
+++ b/samples/components/oauth/redshift.azure.iam-idc.xml
@@ -36,7 +36,7 @@
     </entry>
     <entry>
       <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>
-      <value>true</value>
+      <value>false</value>
     </entry>
     <entry>
       <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>
diff --git a/samples/components/oauth/redshift.azure.xml b/samples/components/oauth/redshift.azure.xml
index 9b7887d1..478f1278 100644
--- a/samples/components/oauth/redshift.azure.xml
+++ b/samples/components/oauth/redshift.azure.xml
@@ -39,7 +39,7 @@
     </entry>
     <entry>
       <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>
-      <value>false</value>
+      <value>true</value>
     </entry>
     <entry>
       <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>