Skip to content

Adding functionality to config preferred authschemeProvider #6083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: master
Choose a base branch
from
Open

Adding functionality to config preferred authschemeProvider #6083

wants to merge 21 commits into from

Conversation

RanVaknin
Copy link
Contributor

@RanVaknin RanVaknin commented May 2, 2025
edited
Loading

Motivation and Context

Previously, when multiple auth schemes were available for an operation, the SDK would choose the first one defined in the service model. This PR implements the auth scheme preference configuration that allows users to specify their preferred authentication schemes in order of preference when multiple auth schemes are supported.

Example usage:

// Via client configuration in code
MyServiceClient client = MyServiceClient.builder()
    .authSchemeProvider(MyServiceAuthSchemeProvider.builder()
        .preferredAuthSchemes(Arrays.asList("sigv4", "sigv4a"))
        .build())
    .build();

// Via JVM properties:
// in code
System.setProperty("aws.authSchemePreference", "sigv4,sigv4a");
// or as a cmd line argument
java -Daws.authSchemePreference=sigv4,sigv4a -jar your-application.jar

// Via Environment variable:
export AWS_AUTH_SCHEME_PREFERENCE=sigv4,sigv4a

// Via AWS config file (~/.aws/config):
[default]
auth_scheme_preference = sigv4,sigv4a

Modifications

  • [Modified] client builders to read and apply auth scheme preferences

  • [Modified] the auth scheme resolution logic to respect user preferences while maintaining backward compatibility

  • [Added] AuthSchemePreferenceProvider class to resolve auth scheme preferences from various sources:

    • Client configuration
    • JVM system properties (aws.authSchemePreference)
    • Environment variables (AWS_AUTH_SCHEME_PREFERENCE)
    • AWS config file (auth_scheme_preference)

  • [Added] code generation support through PreferredAuthSchemeProviderSpec to generate service-specific auth scheme providers

Testing

  • AuthSchemePreferenceProviderTest verifies proper parsing of auth scheme preferences from different formats (spaces, tabs, etc.)

  • PreferredAuthSchemeProviderTest to test the reordering of auth schemes according to preferences
    comprehensive test cases for preference resolution from multiple sources, verifying proper precedence:

  • Stubbed functional test with mock services to verify the selected auth scheme matches the expected preference in actual requests

@RanVaknin RanVaknin force-pushed the rvaknin/auth-schem-preference-config branch from 362e5f3 to f18fcc2 Compare May 5, 2025 02:22
@alextwoods alextwoods mentioned this pull request May 23, 2025
Draft
12 tasks
@RanVaknin RanVaknin marked this pull request as ready for review May 26, 2025 04:51
@RanVaknin RanVaknin requested a review from a team as a code owner May 26, 2025 04:51
zoewangg
zoewangg previously requested changes May 28, 2025
View reviewed changes
...st/resources/software/amazon/awssdk/codegen/poet/auth/scheme/query-auth-scheme-provider.java
return new QueryAuthSchemeProviderBuilder();
}

interface Builder {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make it extend CopyableBuilder? https://github.com/aws/aws-sdk-java-v2/blob/master/docs/design/ClientConfiguration.md

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any updates on this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I missed this comment earlier - I don't think we can do that without it being a breaking change. This would require adding the toBuilder method on the AuthSchemeProvider interface (and having it extend ToCopyableBuilder). This would be a breaking change to existing customer defined AuthSchemeProviders.

The original design suggested overloading the existing defaultProvider()method with a defaultProvider(List authSchemePreference) method instead of using a builder. Would that be preferable?

Will discuss offline in surface api review meeting.

L-Applin
L-Applin requested changes May 28, 2025
View reviewed changes
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
9 New issues
0 Accepted issues

Measures
0 Security Hotspots
97.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

zoewangg
zoewangg reviewed May 30, 2025
View reviewed changes
...st/resources/software/amazon/awssdk/codegen/poet/auth/scheme/query-auth-scheme-provider.java
return new QueryAuthSchemeProviderBuilder();
}

interface Builder {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any updates on this?

...st/resources/software/amazon/awssdk/codegen/poet/auth/scheme/query-auth-scheme-provider.java
}

@SdkInternalApi
final class QueryAuthSchemeProviderBuilder implements Builder {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any updates on this?

...es/software/amazon/awssdk/codegen/poet/auth/scheme/query-auth-scheme-preferred-provider.java
Comment on lines +34 to +48
List<AuthSchemeOption> authSchemes = new ArrayList<>();
authSchemePreference.forEach(preferredSchemeId -> {
candidateAuthSchemes
.stream()
.filter(candidate -> {
String candidateSchemeName = candidate.schemeId().contains("#") ? candidate.schemeId().split("#")[1]
: candidate.schemeId();
return candidateSchemeName.equals(preferredSchemeId);
}).findFirst().ifPresent(authSchemes::add);
});
candidateAuthSchemes.forEach(candidate -> {
if (!authSchemes.contains(candidate)) {
authSchemes.add(candidate);
}
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem to be very efficient O(n * m). Is that a concern?

@zoewangg zoewangg dismissed their stale review May 30, 2025 00:43

Dismissing to unblock the change since I'm OOTO.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zoewangg zoewangg zoewangg left review comments

@alextwoods alextwoods alextwoods left review comments

@L-Applin L-Applin L-Applin requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@RanVaknin @L-Applin @zoewangg @alextwoods