Limited support for dynamic EXT_JWT renewal in IdpTokenAuthPlugin when using TTI #146
Description
Context
We are utilizing the IdpTokenAuthPlugin to supplement EXT_JWT, configured via AWS. AWS Redshift is set up with an IDP client in AWS IDC to accept tokens from a Trusted Token Issuer (TTI).
AWS Redshift Connector ----> AWS Redshift ------> AWS Identity Center (IDC) ---------> Trusted Token Issuer (TTI)
Issue with having EXT_JWT in JDBC URL
However, when using this plugin IdpTokenAuthPlugin, we found that hard-coding idp_token in the JDBC URL doesn't work for us since we are using DB connection pools from the client end. An example JDBC url with EXT_JWT would look like;
jdbc:redshift://host:port/dev/?plugin_name=com.amazon.redshift.plugin.IdpTokenAuthPlugin;token_type=EXT_JWT;token=<idp_token>;
AFAIU, AWS Redshift performs a token exchange to obtain an AWS token, relying on the TTI configured on AWS IDC for validation. Even though the <idp_token> is still valid (it hasn't expired), AWS IDC rejects the same token to avoid token-replay attacks with the jti claim (refer https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html).
We are receiving below error for the second connection attempt after a successful connection;
Caused by: java.sql.SQLException: FATAL: Token credentials expired or invalid.
at com.amazon.redshift.util.RedshiftException.getSQLException(RedshiftException.java:56) ~[?:?]
at com.amazon.redshift.Driver.connect(Driver.java:328) ~[?:?]
Thus, when using the same JDBC URL for multiple JDBC connections, like in a DB connection pool this fails since only the first DB thread in the pool succeeds, and subsequent attempts fail due to the same token appearing in the JDBC URL.
What We Tried
I tried writing my own plugin similar to IdpTokenAuthPlugin that injects <idp_token> dynamically to solve this issue, but I realized that due to IDP token plugins with a defined list it fails. In otherwords, Redshift JDBC connector Impl is limiting the custom plugins to not allow providing IDP tokens.
This is done by explicitly checking the plugin name against a defined set of plugin names in https://github.com/aws/amazon-redshift-jdbc-driver/blob/master/src/main/java/com/amazon/redshift/jdbc/RedshiftConnectionImpl.java#L325-L331.
Suggested Resolutions
- Extend behavior of the
IdpTokenAuthPluginto accomodate fetching<idp_token>from a URL (for instance from a external Keycloak IDP broker endpoint) - Allow custom plugins to provide
EXT_JWTsimilar toIdpTokenAuthPlugin(probably the easiest)