lxy714433989 opened a new pull request, #4272:
URL: https://github.com/apache/arrow-adbc/pull/4272
## Summary
This PR adds OAuth2 authentication support to the Java Flight SQL ADBC
driver.
It introduces a configurable OAuth2 mechanism that allows clients to acquire
and attach access tokens when establishing Flight SQL connections.
## Motivation
The current Java Flight SQL driver supports basic authentication and custom
authorization headers, but lacks a standardized way to configure OAuth2-based
authentication.
Many production deployments rely on OAuth2 (e.g., via identity providers
such as Keycloak or cloud IAM systems). This change enables native OAuth2
support at the driver level, improving usability and reducing the need for
custom integration logic.
## Changes
- Add OAuth2-related connection options
- token endpoint
- client credentials
- grant type (initial support focuses on client credentials flow)
- Introduce `FlightSqlOAuthTokenProvider`
- Responsible for acquiring and refreshing access tokens
- Encapsulates OAuth2 logic from connection layer
- Integrate OAuth authentication into `FlightSqlConnection`
- Automatically attaches `Authorization: Bearer <token>` header
- Add validation for conflicting authentication configurations
- Prevent simultaneous usage of:
- username/password
- custom Authorization headers
- OAuth2 configuration
- Add unit tests for OAuth2 authentication behavior
## Scope
This PR only introduces OAuth2 support on the **Java Flight SQL driver
side**.
- No changes to Flight SQL protocol
- No server-side changes required
- Backward compatible with existing authentication mechanisms
## Testing
- Added unit tests in `OAuthTest.java`
- Verified:
- token acquisition and injection
- conflict validation logic
- existing authentication paths remain unaffected
## Compatibility
This change is fully backward compatible:
- Existing configurations (basic auth / headers) continue to work
- OAuth2 is opt-in via new connection parameters
## Future Work
- Support additional OAuth2 flows (e.g., authorization code)
- Token caching and refresh improvements
- Integration with external credential providers
## Notes for Reviewers
- The implementation is intentionally scoped to client-side changes only
- Feedback on API design (connection options and token provider abstraction)
is especially welcome
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
