SNOW-1955810 Support client-side opt-in of Refresh Token Rotation in Snowflake OAuth (#2166)

sfc-gh-pmansour · web-flow · commit 94ac08c8e764 · 2025-04-25T11:22:01.000+02:00
diff --git a/src/main/java/net/snowflake/client/core/SFOauthLoginInput.java b/src/main/java/net/snowflake/client/core/SFOauthLoginInput.java
@@ -9,6 +9,7 @@ public class SFOauthLoginInput {
   private final String authorizationUrl;
   private final String tokenRequestUrl;
   private final String scope;
+  private final boolean enableSingleUseRefreshTokens;
 
   public SFOauthLoginInput(
       String clientId,
@@ -17,12 +18,24 @@ public SFOauthLoginInput(
       String authorizationUrl,
       String tokenRequestUrl,
       String scope) {
+    this(clientId, clientSecret, redirectUri, authorizationUrl, tokenRequestUrl, scope, false);
+  }
+
+  public SFOauthLoginInput(
+      String clientId,
+      String clientSecret,
+      String redirectUri,
+      String authorizationUrl,
+      String tokenRequestUrl,
+      String scope,
+      boolean enableSingleUseRefreshTokens) {
     this.redirectUri = redirectUri;
     this.clientId = clientId;
     this.clientSecret = clientSecret;
     this.authorizationUrl = authorizationUrl;
     this.tokenRequestUrl = tokenRequestUrl;
     this.scope = scope;
+    this.enableSingleUseRefreshTokens = enableSingleUseRefreshTokens;
   }
 
   public String getRedirectUri() {
@@ -48,4 +61,8 @@ public String getTokenRequestUrl() {
   public String getScope() {
     return scope;
   }
+
+  public boolean getEnableSingleUseRefreshTokens() {
+    return enableSingleUseRefreshTokens;
+  }
 }
diff --git a/src/main/java/net/snowflake/client/core/SFSession.java b/src/main/java/net/snowflake/client/core/SFSession.java
@@ -680,7 +680,10 @@ public synchronized void open() throws SFException, SnowflakeSQLException {
             (String) connectionPropertiesMap.get(SFSessionProperty.OAUTH_REDIRECT_URI),
             (String) connectionPropertiesMap.get(SFSessionProperty.OAUTH_AUTHORIZATION_URL),
             (String) connectionPropertiesMap.get(SFSessionProperty.OAUTH_TOKEN_REQUEST_URL),
-            (String) connectionPropertiesMap.get(SFSessionProperty.OAUTH_SCOPE));
+            (String) connectionPropertiesMap.get(SFSessionProperty.OAUTH_SCOPE),
+            getBooleanValue(
+                connectionPropertiesMap.get(
+                    SFSessionProperty.OAUTH_ENABLE_SINGLE_USE_REFRESH_TOKENS)));
 
     loginInput
         .setServerUrl((String) connectionPropertiesMap.get(SFSessionProperty.SERVER_URL))
diff --git a/src/main/java/net/snowflake/client/core/SFSessionProperty.java b/src/main/java/net/snowflake/client/core/SFSessionProperty.java
@@ -26,6 +26,7 @@ public enum SFSessionProperty {
   OAUTH_SCOPE("oauthScope", false, String.class),
   OAUTH_AUTHORIZATION_URL("oauthAuthorizationUrl", false, String.class),
   OAUTH_TOKEN_REQUEST_URL("oauthTokenRequestUrl", false, String.class),
+  OAUTH_ENABLE_SINGLE_USE_REFRESH_TOKENS("oauthEnableSingleUseRefreshTokens", false, Boolean.class),
   WORKLOAD_IDENTITY_PROVIDER("workloadIdentityProvider", false, String.class),
   WORKLOAD_IDENTITY_ENTRA_RESOURCE("workloadIdentityEntraResource", false, String.class),
   WAREHOUSE("warehouse", false, String.class),
diff --git a/src/main/java/net/snowflake/client/core/auth/oauth/OAuthAuthorizationCodeAccessTokenProvider.java b/src/main/java/net/snowflake/client/core/auth/oauth/OAuthAuthorizationCodeAccessTokenProvider.java
@@ -215,13 +215,17 @@ private HttpRequestBase buildTokenRequest(
             new Secret(loginInput.getOauthLoginInput().getClientSecret()));
     Scope scope =
         new Scope(OAuthUtil.getScope(loginInput.getOauthLoginInput(), loginInput.getRole()));
-    TokenRequest tokenRequest =
-        new TokenRequest(
-            OAuthUtil.getTokenRequestUrl(
-                loginInput.getOauthLoginInput(), loginInput.getServerUrl()),
-            clientAuthentication,
-            codeGrant,
-            scope);
+    TokenRequest.Builder tokenRequestBuilder =
+        new TokenRequest.Builder(
+                OAuthUtil.getTokenRequestUrl(
+                    loginInput.getOauthLoginInput(), loginInput.getServerUrl()),
+                clientAuthentication,
+                codeGrant)
+            .scope(scope);
+    if (loginInput.getOauthLoginInput().getEnableSingleUseRefreshTokens()) {
+      tokenRequestBuilder.customParameter("enable_single_use_refresh_tokens", "true");
+    }
+    TokenRequest tokenRequest = tokenRequestBuilder.build();
     HTTPRequest tokenHttpRequest = tokenRequest.toHTTPRequest();
     HttpRequestBase convertedTokenRequest = OAuthUtil.convertToBaseRequest(tokenHttpRequest);
 
diff --git a/src/test/java/net/snowflake/client/core/OAuthAuthorizationCodeFlowLatestIT.java b/src/test/java/net/snowflake/client/core/OAuthAuthorizationCodeFlowLatestIT.java
@@ -30,6 +30,8 @@ public class OAuthAuthorizationCodeFlowLatestIT extends BaseWiremockTest {
       SCENARIOS_BASE_DIR + "/successful_flow.json";
   private static final String SUCCESSFUL_DPOP_FLOW_SCENARIO_MAPPINGS =
       SCENARIOS_BASE_DIR + "/successful_dpop_flow.json";
+  private static final String SUCCESSFUL_FLOW_WITH_SINGLE_USE_REFRESH_TOKENS_SCENARIO_MAPPINGS =
+      SCENARIOS_BASE_DIR + "/successful_flow_with_single_use_refresh_tokens.json";
   private static final String DPOP_NONCE_ERROR_SCENARIO_MAPPINGS =
       SCENARIOS_BASE_DIR + "/dpop_nonce_error_flow.json";
   private static final String BROWSER_TIMEOUT_SCENARIO_MAPPING =
@@ -59,7 +61,7 @@ public OAuthAuthorizationCodeFlowLatestIT() throws SFException {}
   public void successfulFlowScenario() throws SFException {
     importMappingFromResources(SUCCESSFUL_FLOW_SCENARIO_MAPPINGS);
     SFLoginInput loginInput =
-        createLoginInputStub("http://localhost:8009/snowflake/oauth-redirect", null, null);
+        createLoginInputStub("http://localhost:8009/snowflake/oauth-redirect", null, null, false);
 
     TokenResponseDTO tokenResponse = provider.getAccessToken(loginInput);
     String accessToken = tokenResponse.getAccessToken();
@@ -96,14 +98,31 @@ public void successfulFlowDPoPScenarioWithNonce() throws SFException {
     Assertions.assertEquals("access-token-123", accessToken);
   }
 
+  @Test
+  public void successfulFlowWithSingleUseRefreshTokensScenario() throws SFException {
+    importMappingFromResources(SUCCESSFUL_FLOW_WITH_SINGLE_USE_REFRESH_TOKENS_SCENARIO_MAPPINGS);
+    SFLoginInput loginInput =
+        createLoginInputStub("http://localhost:8009/snowflake/oauth-redirect", null, null, true);
+
+    TokenResponseDTO tokenResponse = provider.getAccessToken(loginInput);
+    String accessToken = tokenResponse.getAccessToken();
+    String refreshToken = tokenResponse.getRefreshToken();
+
+    Assertions.assertFalse(StringUtils.isNullOrEmpty(accessToken));
+    Assertions.assertFalse(StringUtils.isNullOrEmpty(refreshToken));
+    Assertions.assertEquals("access-token-123", accessToken);
+    Assertions.assertEquals("refresh-token-123", refreshToken);
+  }
+
   @Test
   public void customUrlsScenario() throws SFException {
     importMappingFromResources(CUSTOM_URLS_SCENARIO_MAPPINGS);
     SFLoginInput loginInput =
         createLoginInputStub(
             "http://localhost:8007/snowflake/oauth-redirect",
             String.format("http://%s:%d/authorization", WIREMOCK_HOST, wiremockHttpPort),
-            String.format("http://%s:%d/tokenrequest", WIREMOCK_HOST, wiremockHttpPort));
+            String.format("http://%s:%d/tokenrequest", WIREMOCK_HOST, wiremockHttpPort),
+            false);
 
     TokenResponseDTO tokenResponse = provider.getAccessToken(loginInput);
     String accessToken = tokenResponse.getAccessToken();
@@ -116,7 +135,7 @@ public void customUrlsScenario() throws SFException {
   public void browserTimeoutFlowScenario() throws SFException {
     importMappingFromResources(BROWSER_TIMEOUT_SCENARIO_MAPPING);
     SFLoginInput loginInput =
-        createLoginInputStub("http://localhost:8004/snowflake/oauth-redirect", null, null);
+        createLoginInputStub("http://localhost:8004/snowflake/oauth-redirect", null, null, false);
 
     AccessTokenProvider provider =
         new OAuthAuthorizationCodeAccessTokenProvider(
@@ -133,7 +152,7 @@ public void browserTimeoutFlowScenario() throws SFException {
   public void invalidScopeFlowScenario() {
     importMappingFromResources(INVALID_SCOPE_SCENARIO_MAPPING);
     SFLoginInput loginInput =
-        createLoginInputStub("http://localhost:8002/snowflake/oauth-redirect", null, null);
+        createLoginInputStub("http://localhost:8002/snowflake/oauth-redirect", null, null, false);
     SFException e =
         Assertions.assertThrows(SFException.class, () -> provider.getAccessToken(loginInput));
     Assertions.assertTrue(
@@ -146,7 +165,7 @@ public void invalidScopeFlowScenario() {
   public void invalidStateFlowScenario() {
     importMappingFromResources(INVALID_STATE_SCENARIO_MAPPING);
     SFLoginInput loginInput =
-        createLoginInputStub("http://localhost:8010/snowflake/oauth-redirect", null, null);
+        createLoginInputStub("http://localhost:8010/snowflake/oauth-redirect", null, null, false);
     SFException e =
         Assertions.assertThrows(SFException.class, () -> provider.getAccessToken(loginInput));
     Assertions.assertTrue(
@@ -159,7 +178,7 @@ public void invalidStateFlowScenario() {
   public void tokenRequestErrorFlowScenario() {
     importMappingFromResources(TOKEN_REQUEST_ERROR_SCENARIO_MAPPING);
     SFLoginInput loginInput =
-        createLoginInputStub("http://localhost:8003/snowflake/oauth-redirect", null, null);
+        createLoginInputStub("http://localhost:8003/snowflake/oauth-redirect", null, null, false);
 
     SFException e =
         Assertions.assertThrows(SFException.class, () -> provider.getAccessToken(loginInput));
@@ -169,12 +188,21 @@ public void tokenRequestErrorFlowScenario() {
   }
 
   private SFLoginInput createLoginInputStub(
-      String redirectUri, String authorizationUrl, String tokenRequestUrl) {
+      String redirectUri,
+      String authorizationUrl,
+      String tokenRequestUrl,
+      boolean enableSingleUseRefreshTokens) {
     SFLoginInput loginInputStub = new SFLoginInput();
     loginInputStub.setServerUrl(String.format("http://%s:%d/", WIREMOCK_HOST, wiremockHttpPort));
     loginInputStub.setOauthLoginInput(
         new SFOauthLoginInput(
-            "123", "123", redirectUri, authorizationUrl, tokenRequestUrl, "session:role:ANALYST"));
+            "123",
+            "123",
+            redirectUri,
+            authorizationUrl,
+            tokenRequestUrl,
+            "session:role:ANALYST",
+            enableSingleUseRefreshTokens));
     loginInputStub.setSocketTimeout(Duration.ofMinutes(5));
     loginInputStub.setHttpClientSettingsKey(new HttpClientSettingsKey(OCSPMode.FAIL_OPEN));
 
@@ -184,7 +212,7 @@ private SFLoginInput createLoginInputStub(
   private SFLoginInput createLoginInputStubWithDPoPEnabled(
       String redirectUri, String authorizationUrl, String tokenRequestUrl) {
     SFLoginInput loginInputStub =
-        createLoginInputStub(redirectUri, authorizationUrl, tokenRequestUrl);
+        createLoginInputStub(redirectUri, authorizationUrl, tokenRequestUrl, false);
     loginInputStub.setDPoPEnabled(true);
     return loginInputStub;
   }
diff --git a/src/test/resources/wiremock/mappings/oauth/authorization_code/successful_flow_with_single_use_refresh_tokens.json b/src/test/resources/wiremock/mappings/oauth/authorization_code/successful_flow_with_single_use_refresh_tokens.json
@@ -0,0 +1,80 @@
+{
+  "mappings": [
+    {
+      "scenarioName": "Successful OAuth authorization code flow",
+      "requiredScenarioState": "Started",
+      "newScenarioState": "Authorized",
+      "request": {
+        "urlPathPattern": "/oauth/authorize",
+        "queryParameters": {
+          "response_type": {
+            "equalTo": "code"
+          },
+          "scope": {
+            "equalTo": "session:role:ANALYST"
+          },
+          "code_challenge_method": {
+            "equalTo": "S256"
+          },
+          "redirect_uri": {
+            "equalTo": "http://localhost:8009/snowflake/oauth-redirect"
+          },
+          "code_challenge": {
+            "matches": ".*"
+          },
+          "state": {
+            "matches": ".*"
+          },
+          "client_id": {
+            "equalTo": "123"
+          }
+        },
+        "method": "GET"
+      },
+      "response": {
+        "status": 302,
+        "headers": {
+          "Location": "http://localhost:8009/snowflake/oauth-redirect?code=123&state=abc123"
+        }
+      }
+    },
+    {
+      "scenarioName": "Successful OAuth authorization code flow",
+      "requiredScenarioState": "Authorized",
+      "newScenarioState": "Acquired access token",
+      "request": {
+        "urlPathPattern": "/oauth/token-request.*",
+        "method": "POST",
+        "headers": {
+          "Authorization": {
+            "contains": "Basic"
+          },
+          "Content-Type": {
+            "contains": "application/x-www-form-urlencoded; charset=UTF-8"
+          }
+        },
+        "bodyPatterns": [
+          {
+            "contains": "grant_type=authorization_code&code=123&redirect_uri=http%3A%2F%2Flocalhost%3A8009%2Fsnowflake%2Foauth-redirect"
+          },
+          {
+            "contains": "&enable_single_use_refresh_tokens=true"
+          }
+        ]
+      },
+      "response": {
+        "status": 200,
+        "jsonBody": {
+          "access_token": "access-token-123",
+          "refresh_token": "refresh-token-123",
+          "token_type": "Bearer",
+          "username": "user",
+          "scope": "refresh_token session:role:ANALYST",
+          "expires_in": 600,
+          "refresh_token_expires_in": 86399,
+          "idpInitiated": false
+        }
+      }
+    }
+  ]
+}
