feat(oauth2): add PKCE support for database OAuth2 authentication (#37067)

2026-04-17 07:05:04 +00:00 · 2026-01-30 23:28:10 -05:00
parent 05c2354997
commit 5d20dc57d7
10 changed files with 422 additions and 38 deletions
--- a/tests/unit_tests/databases/api_test.py
+++ b/tests/unit_tests/databases/api_test.py
@@ -255,7 +255,7 @@ def test_database_connection(
                    "service_account_info": {
                        "type": "service_account",
                        "project_id": "black-sanctum-314419",
-                        "private_key_id": "259b0d419a8f840056158763ff54d8b08f7b8173",
+                        "private_key_id": "259b0d419a8f840056158763ff54d8b08f7b8173",  # noqa: E501
                        "private_key": "XXXXXXXXXX",
                        "client_email": "google-spreadsheets-demo-servi@black-sanctum-314419.iam.gserviceaccount.com",  # noqa: E501
                        "client_id": "114567578578109757129",
@@ -621,6 +621,10 @@ def test_oauth2_happy_path(
        "expires_in": 3600,
        "refresh_token": "ZZZ",
    }
+    mocker.patch(
+        "superset.commands.database.oauth2.KeyValueDAO.get_value",
+        return_value=None,
+    )

    state: OAuth2State = {
        "user_id": 1,
@@ -641,7 +645,11 @@ def test_oauth2_happy_path(
        )

    assert response.status_code == 200
-    get_oauth2_token.assert_called_with({"id": "one", "secret": "two"}, "XXX")
+    get_oauth2_token.assert_called_with(
+        {"id": "one", "secret": "two"},
+        "XXX",
+        code_verifier=None,
+    )

    token = db.session.query(DatabaseUserOAuth2Tokens).one()
    assert token.user_id == 1
@@ -689,6 +697,10 @@ def test_oauth2_permissions(
        "expires_in": 3600,
        "refresh_token": "ZZZ",
    }
+    mocker.patch(
+        "superset.commands.database.oauth2.KeyValueDAO.get_value",
+        return_value=None,
+    )

    state: OAuth2State = {
        "user_id": 1,
@@ -709,7 +721,11 @@ def test_oauth2_permissions(
        )

    assert response.status_code == 200
-    get_oauth2_token.assert_called_with({"id": "one", "secret": "two"}, "XXX")
+    get_oauth2_token.assert_called_with(
+        {"id": "one", "secret": "two"},
+        "XXX",
+        code_verifier=None,
+    )

    token = db.session.query(DatabaseUserOAuth2Tokens).one()
    assert token.user_id == 1
@@ -762,6 +778,10 @@ def test_oauth2_multiple_tokens(
            "refresh_token": "ZZZ2",
        },
    ]
+    mocker.patch(
+        "superset.commands.database.oauth2.KeyValueDAO.get_value",
+        return_value=None,
+    )

    state: OAuth2State = {
        "user_id": 1,