Skip to content

DX-118868: Add browser-based OAuth login flow#16

Draft
aniket-s-kulkarni wants to merge 8 commits intodremio:mainfrom
aniket-s-kulkarni:DX-118868-oauth-browser-login
Draft

DX-118868: Add browser-based OAuth login flow#16
aniket-s-kulkarni wants to merge 8 commits intodremio:mainfrom
aniket-s-kulkarni:DX-118868-oauth-browser-login

Conversation

@aniket-s-kulkarni
Copy link
Copy Markdown
Collaborator

@aniket-s-kulkarni aniket-s-kulkarni commented Apr 14, 2026
edited by atlassian bot
Loading

Summary

  • Add OAuth Authorization Code + PKCE flow as an alternative to PAT authentication
  • New dremio login / dremio logout commands for browser-based auth
  • Automatic token refresh on 401 (one retry per request)
  • Headless fallback prints URL when no browser is available
  • Setup wizard (dremio setup) offers OAuth alongside PAT
  • Tokens stored in ~/.config/dremioai/oauth_tokens.yaml (mode 600)

Jira: DX-118868

Files Changed (13 files, +1276/-57)

New

  • src/drs/oauth.py — OAuth flow engine (discovery, DCR, PKCE, callback server, token exchange, refresh)
  • src/drs/token_store.py — Token persistence keyed by Dremio URL
  • src/drs/commands/login.py — Login/logout commands

Modified

  • src/drs/auth.py — PAT optional, auth_method field, token store fallback
  • src/drs/client.py — 401 intercept + per-request refresh
  • src/drs/cli.py — Register login/logout, updated error message
  • src/drs/commands/setup.py — Auth method prompt (OAuth/PAT)

Test plan

  • 196 tests passing (31 new)
  • Token store round-trip, permissions, multi-instance
  • PKCE correctness, auth URL construction, discovery, exchange, refresh
  • Headless fallback (both exception and return False paths)
  • 401 triggers refresh for OAuth, no refresh for PAT
  • Login saves tokens, logout clears tokens
  • OAuth path through setup wizard
  • PAT auth backward compatibility
  • Manual E2E test against real Dremio Cloud instance

Reviewer notes

  • SQL injection in reflection.py (pre-existing, not part of this PR) flagged by reviewer — tracked separately
  • TOCTOU port race noted as future improvement (bind HTTPServer to port 0 directly)

🤖 Generated with Claude Code

aniket-s-kulkarni and others added 8 commits April 14, 2026 19:22
@aniket-s-kulkarni @claude
feat: add browser-based OAuth login flow (DX-118868)
9dd60d4 
Add OAuth Authorization Code + PKCE flow as an alternative to PAT
authentication. Users can now run `dremio login` to authenticate via
browser, with tokens stored in ~/.config/dremioai/oauth_tokens.yaml.

- OAuth discovery via .well-known/oauth-authorization-server
- Dynamic Client Registration (DCR) with PKCE
- Localhost callback server for auth code capture
- Automatic token refresh on 401 (one retry per request)
- Headless fallback: prints URL when browser unavailable
- `dremio login` / `dremio logout` commands
- Setup wizard offers OAuth alongside PAT

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aniket-s-kulkarni @claude
fix: add --uri option to login/logout commands (DX-118868)
96e2682 
Allow targeting a custom Dremio URL (e.g. app.dev.dremio.site) instead
of defaulting to app.dremio.cloud.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aniket-s-kulkarni @claude
fix: derive login host from app URL for OAuth discovery (DX-118868)
9c30dac 
The .well-known/oauth-authorization-server endpoint lives on the login
subdomain (login.X), not the app subdomain (app.X). Rewrite app.* to
login.* when constructing the discovery URL.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aniket-s-kulkarni @claude
fix: use client_name for DCR and fall back when DCR is rejected (DX-1…
0885519 
…18868)

- Send `client_name` (not `client_id`) in DCR body per RFC 7591
- Gracefully fall back to the well-known client_id when the server
  rejects DCR (400/403), as Dremio servers may not allow open registration

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aniket-s-kulkarni @claude
fix: use dremio.all scope instead of openid for OAuth (DX-118868)
93e6c48 
Dremio's OAuth server supports `dremio.all offline_access`, not
`openid offline_access`.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aniket-s-kulkarni @claude
fix: use /Callback (capital C) for OAuth redirect URI (DX-118868)
da7baa1 
The Dremio OAuth server's allow-listed redirect path is case-sensitive:
/Callback, not /callback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aniket-s-kulkarni @claude
feat: show interactive project picker during dremio login (DX-118868)
b033184 
After OAuth login succeeds, fetch the project list and let the user
pick from a numbered menu instead of typing a project ID manually.
Auto-selects when only one project exists. Falls back to manual
prompt if the project list fetch fails.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aniket-s-kulkarni @claude
feat: filter active/hibernated projects and show details in picker (D…
840295d 
…X-118868)

- Only show ACTIVE and HIBERNATED projects (skip DELETED etc.)
- Display project name, description, state, and creation date
- Richer formatting in the project selection panel

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aniket-s-kulkarni