Abstract common OAuth handling and add OAuth support to Athena DataLake Gen2 Connector

[Jithendar12]

Issue #, if available:

Description of changes:
Abstracted common OAuth handling into a new OAuthCredentialsProvider base class within the SDK module to enable reuse across multiple connectors.
Added support for OAuth-based authentication in the DataLake Gen2 connector using Microsoft Entra ID with the client_credentials grant type. The connector now obtains Bearer tokens directly from Entra ID and securely manages them via AWS Secrets Manager.

Users must store the following credentials in AWS Secrets Manager:
{
"client_id": "<your-entra-id-app-client-id>",
"client_secret": "<your-entra-id-app-client-secret>",
"tenant_id": "<your-entra-id-app-tenant-id>"
}

Please find attached reference and test documents.
gen2-oauth-testing.odt
OAuth Integration in datalakegen2.docx
SYNAPSE_FUNCTIONAL_TEST_2025-08-29.xlsx
SQLSERVER_FUNCTIONAL_TEST_2025-08-29.xlsx
DATALAKEGEN2_FUNCTIONAL_TEST_2025-08-29.xlsx
SNOWFLAKE_FUNCTIONAL_TEST_2025-08-29.xlsx
ORACLE_FUNCTIONAL_TEST_2025-08-29.xlsx
CLOUDERAHIVE_FUNCTIONAL_TEST_2025-08-29.xlsx

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[amazon-inspector-n-virginia]

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

[amazon-inspector-n-virginia]

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

[amazon-inspector-n-virginia]

✅ I finished the code review, and didn't find any security or code quality issues.

[amazon-inspector-n-virginia]

✅ I finished the code review, and didn't find any security or code quality issues.

[ejeffrli]

How come DataLakeGen2RecordHandler was using GenericJdbcConnectionFactory when there is a DataLakeGen2JdbcConnectionFactory class being used by MetadataHandler before?

[Jithendar12]

Hi @ejeffrli , this might be an oversight from the initial connector implementation. For Gen2, these changes weren’t strictly required because username/password were already being set in the JDBC properties (ref). So, deleted DataLakeGen2JdbcConnectionFactory file as it is no more required. Thanks!

[ejeffrli]

will this property be used by other connectors that can use OAuth? Can we move this constant variable somewhere else so connectors like Synapse can use this (if the names are the same)?

[burhan94]

+1, lets think about moving this to the federation SDK since we're already extracting common OAuth code.

[Jithendar12]

@ejeffrli / @burhan94, Created new CredentialsConstants class in SDK for different Authentication constants and moved to there. Thanks!

[ejeffrli]

Can we re-use the secretsManager object from MetadataHandler and RecordHandler?

[Jithendar12]

Yes, added getCachableSecretsManager() method to return same secretManger instance of MetadataHandler and RecordHandler.

[ejeffrli]

does this need to be abstract? Do two connectors check if oauth is configured in different ways?

[Jithendar12]

Yes, this has to be abstract. For example SAP HANA uses client_id, client_secret and token_url.

[burhan94]

+1, lets think about moving this to the federation SDK since we're already extracting common OAuth code.

[burhan94]

CredentialsProvider already exposes username, password

[Jithendar12]

Updated code. Thank you!

[burhan94]

We should improve the abstraction here. I suggest the following:

1. Credential interface -> UserNamePasswordCredential and OAuthAccessTokenCredential
2. OAuthCredentialsProvider returns a Credential object, and subclasses for OAuthCredentialsProvider will return the actual shape of the credential. A separate UserNamePasswordCredentialProvider should handle username/password separately. CredentialProvider can then be simplified

[Jithendar12]

@burhan94 ,
We have created a Credentials interface, which is implemented by both OAuthAccessTokenCredentials and the existing DefaultCredentials (for username/password).
We also created an OAuthCredentialsProvider that returns an OAuthAccessTokenCredentials object.
Instead of creating a new class for UserNamePasswordCredentialProvider, we have used the existing DefaultCredentialsProvider. Thank you!

[burhan94]

Can you add some more tests? looks like code coverage check is failing

[Jithendar12]

Can you add some more tests? looks like code coverage check is failing

Hi @burhan94, thank you for reviewing the PR. Initially, we added unit tests to cover the major OAuth code. However, as the design was further updated, it resulted in multiple changes across classes. Unit Tests have been added to improve the coverage of these changed classes, including the scenarios for error handling.

[codecov]

Codecov Report

❌ Patch coverage is 77.77778% with 42 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.35%. Comparing base (fe0a5d9) to head (8c060a9).
⚠️ Report is 8 commits behind head on master.

Files with missing lines	Patch %	Lines
...onnector/credentials/OAuthCredentialsProvider.java	80.50%	21 Missing and 2 partials ⚠️
...lakegen2/DataLakeGen2OAuthCredentialsProvider.java	75.00%	0 Missing and 5 partials ⚠️
...nnectors/synapse/SynapseJdbcConnectionFactory.java	0.00%	4 Missing ⚠️
...ectors/datalakegen2/DataLakeGen2RecordHandler.java	0.00%	3 Missing ⚠️
...nector/credentials/CredentialsProviderFactory.java	95.83%	0 Missing and 1 partial ⚠️
...hena/connector/credentials/DefaultCredentials.java	0.00%	1 Missing ⚠️
...nector/credentials/DefaultCredentialsProvider.java	50.00%	0 Missing and 1 partial ⚠️
...ector/credentials/OAuthAccessTokenCredentials.java	80.00%	1 Missing ⚠️
...ena/connector/lambda/handlers/MetadataHandler.java	0.00%	1 Missing ⚠️
...thena/connector/lambda/handlers/RecordHandler.java	0.00%	1 Missing ⚠️
... and 1 more

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2932      +/-   ##
============================================
+ Coverage     63.67%   64.35%   +0.68%     
- Complexity     4344     4550     +206     
============================================
  Files           621      632      +11     
  Lines         23286    23972     +686     
  Branches       2859     2954      +95     
============================================
+ Hits          14827    15428     +601     
- Misses         7070     7124      +54     
- Partials       1389     1420      +31     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ejeffrli]

This class seems pretty generic. Seems like it returns oauthcredentialsprovider or returns defaultcredentialprovider. Any way to make this re-usable by synapse and other connectors who support oauth?

[ejeffrli]

I'm thinking this part can be abstracted out, and all connectors can eventually call this utils class to get default/oauth credentials

                if (DataLakeGen2OAuthCredentialsProvider.isOAuthConfigured(secretMap)) {
                    return new DataLakeGen2OAuthCredentialsProvider(secretName, secretMap, secretsManager);
                }
                ```

[Jithendar12]

Hi @ejeffrli , I've now moved this logic into the CredentialsProviderFactory class in the federation SDK module, making it reusable across all connectors that need OAuth support. Thank you!

[ejeffrli]

Can you also provide an up-to-date testing document of

1. Datalakegen2 with oauth
2. Datalakegen2 without oauth
3. Snowflake connector (as well as sqlserver, hive, etc. the more the better) (this is original non-oauth flow because it seems like DefaultCredentialsProvider was slightly touched)

[Jithendar12]

Can you also provide an up-to-date testing document of

1. Datalakegen2 with oauth
2. Datalakegen2 without oauth
3. Snowflake connector (as well as sqlserver, hive, etc. the more the better) (this is original non-oauth flow because it seems like DefaultCredentialsProvider was slightly touched)

Hi @ejeffrli , attached test documents to the PR. Thank you!

[AbdulR3hman]

I really think we shouldn't use reflection when we have control over the lifecycle of these objects. here are my thoughts:

1. Current Issue:

   • The code unnecessarily uses reflection when we have full control over all intended classes
   • Passing class objects adds complexity without benefits in this controlled environment

2. Proposed Solution:

   • Replace reflection with an interface-based approach
   • Create an interface (e.g., AthenaFederationCredentialProvider) that all credential providers implement (if you find a better name go for it)
   • The interface should define the setup/initialization behavior

3. Implementation Suggestion:

   • Instead of:

     Class<T> oAuthProviderClass // as parameter

   • Use:

     AthenaFederationCredentialProvider provider // as parameter

   • Each provider (like DataLakeGen2CredentialsProvider) would implement this interface
   • The CredentialProviderFactory would work with the interface directly, eliminating the need for reflection

4. Benefits:

   • More straightforward and type-safe implementation
   • Better compile-time checking
   • Easier to maintain and extend
   • More explicit contract between components

[ejeffrli]

+1

[Jithendar12]

Hi @AbdulR3hman,Thank you for your suggestion. we’ve removed reflection and refactored to an interface-based approach (InitializableCredentialsProvider). All advanced providers (e.g., OAuthCredentialsProvider) will implement this interface, leveraging properties from Secrets Manager for initialization. Thank you!

[ejeffrli]

more of a dependency injection approach than a static factory function.

[Jithendar12]

more of a dependency injection approach than a static factory function.

Hi @ejeffrli, it seems you have deleted the two review comments above which are related to this comment. We just want to confirm is this still valid?

[burhan94]

Met with Abdul and Jeff, we are good to approve.