feat(core): add oidc auth code flow [release]

[vegardok]

BREAKING CHANGE: loginWithOAuth signature is changed

[codecov]

Codecov Report

Merging #587 (e5fc767) into master (00c73e4) will decrease coverage by 22.96%.
The diff coverage is 85.58%.

@@             Coverage Diff             @@
##           master     #587       +/-   ##
===========================================
- Coverage   98.69%   75.72%   -22.97%     
===========================================
  Files          19       86       +67     
  Lines         764     3077     +2313     
  Branches       51      470      +419     
===========================================
+ Hits          754     2330     +1576     
- Misses         10      719      +709     
- Partials        0       28       +28     

Impacted Files	Coverage Δ
packages/stable/src/api/sequences/sequencesApi.ts	100.00% <ø> (ø)
...able/src/api/serviceAccounts/serviceAccountsApi.ts	100.00% <ø> (ø)
...table/src/api/timeSeries/syntheticTimeSeriesApi.ts	100.00% <ø> (ø)
...ackages/stable/src/api/timeSeries/timeSeriesApi.ts	100.00% <ø> (ø)
packages/stable/src/cogniteClient.ts	100.00% <ø> (ø)
packages/stable/src/retryValidator.ts	100.00% <ø> (ø)
packages/stable/src/types.ts	100.00% <ø> (ø)
packages/template/src/__tests__/testUtils.ts	100.00% <ø> (ø)
packages/template/src/cogniteClient.ts	100.00% <ø> (ø)
packages/wells/src/__tests__/testUtils.ts	50.00% <ø> (ø)
... and 180 more

[jarlah]

looks good. Have some change requests. and/or comments

[jarlah]

is this intentional leaving out the !in front of user.access_token? did it came from my branch 🙈

[jarlah]

so if we don't have a user or a user WITH access token .... I think this is wrong

[vegardok]

yea, looks like a typo to me, good catch

[jarlah]

needs to be updated to send in flow object

[vegardok]

fixed

[jarlah]

needs to be updated to send in flow object

[vegardok]

fixed

[jarlah]

this is not a part of this PR but will be a part of my PR. possibly remove.

[vegardok]

done

[jarlah]

so glad we did this. 🙌 much more readable and only by using a basic union with common fields

[kimjoar]

Agree — this approach looks great

[jarlah]

needs to be updated to send in flow object

[vegardok]

fixed

[jarlah]

I have been doing a lot of thinking on the flow manager approach in the code. So, we have a flow manager and a method inside the base client that handles the flow. So the logic is spread into two places, the flow manager and the loginWith[FlowType] method. I wonder, is it possible to merge the contents of the loginWith[FlowType] method into the flow manager? We could still continue to "manually" resolve the flow manager in the switch, but we wouldn't need to define a method in the base client. One way to avoid creating this method is to pass functions for setting bearer token and cluster.

This could be solved in the following manner:

      case 'OIDC_VENDOR_GENERIC_CLIENT_CREDENTIALS_FLOW': {
        this.vendorGenericFlowManager = new OidcVendorGeneric(flow.options, this.setCluster, this.setBearerToken);
        [authenticate, token] = await this.vendorGenericFlowManager.init();
        break;
      }

where this.setCluster and this.setBearerToken is lambda functions on the class (possible to pass around without lossing this context). Or even just pass them as (cluster: string) => this.httpClient.setCluster(cluster)or this.httpClient.setCluster(the latter if the setCluster in httpClient is a lambda.

the init method name might need to renamed to something else because some flow managers already have an init method. But the point remains.

[polomani]

As I mentioned before, my biggest concern is about a breaking change in general.
We have working adfs/aad flow, and breaking the users just for a cleaner code's sake is not really a good excuse. I doubt we have resources to backport bugfixes/features anyway, so by releasing this we just make external developer's life harder.

I would keep the same method we had before, and just introduce an additional one.
Something like setLoginConfig(...) which wouldn't support API keys/legacy OAuth.
As I remember that was what we agreed on earlier.

[vegardok]

We have working adfs/aad flow, and breaking the users just for a cleaner code's sake is not really a good excuse.

The main purpose of the PR is to add OIDC support for Aize/Auth0. The API change is not motivated by clean code, but less brittle code. this is error prone, and the more flows you add, the more error prone it will be.

[polomani]

and the more flows you add, the more error prone it will be

I completely agree, therefore I suggested adding a separate function to handle all these different flows (all of them except the legacy one)

CDF_OAUTH will be deprecated in a couple of months, another major?

[vegardok]

and the more flows you add, the more error prone it will be

I completely agree, therefore I suggested adding a separate function to handle all these different flows (all of them except the legacy one)

That would still be a breaking change for AAD/ADFS, so I don't see that as an alternative to the objection against frequent major version updates. I think the current setup is a good fit for changing flows in the future, e.g adding client credentials will be a minor change.

The way I see it, this PR will be breaking and is an improvement. I don't see why adding a new method instead of changing the API is better?

CDF_OAUTH will be deprecated in a couple of months, another major?

Q1 22 at the earliest, but that is optimistic. Or, it has been deprecated since Q1 21, but I don't think it will be shut down before the last customer has migrated. So who knows.

Something like setLoginConfig(...) which wouldn't support API keys/legacy OAuth.

This is also not correct, you are doing more than just setting the config (checking old tokens, trying to silently refresh them if possible). So the semantics of the existing method is a better fit.