trinodb · kokosing · Feb 22, 2023 · Jan 11, 2023
diff --git a/core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Config.java b/core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Config.java
@@ -157,8 +157,8 @@ public Optional<String> getGroupsField()
         return groupsField;
     }
 
-    @Config("http-server.authentication.oauth2.groups-field")
-    @ConfigDescription("Groups field in the claim")
+    @Config("deprecated.http-server.authentication.oauth2.groups-field")
+    @ConfigDescription("Groups field in the claim. This configuration is scheduled for removal.")
     public OAuth2Config setGroupsField(String groupsField)
     {
         this.groupsField = Optional.ofNullable(groupsField);

diff --git a/core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java b/core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java
@@ -783,7 +783,7 @@ public void testOAuth2Groups(Optional<Set<String>> groups)
                                 .put("web-ui.enabled", "true")
                                 .put("http-server.authentication.type", "oauth2")
                                 .putAll(getOAuth2Properties(tokenServer))
-                                .put("http-server.authentication.oauth2.groups-field", GROUPS_CLAIM)
+                                .put("deprecated.http-server.authentication.oauth2.groups-field", GROUPS_CLAIM)
                                 .buildOrThrow())
                         .setAdditionalModule(oauth2Module(tokenServer))
                         .build()) {

diff --git a/core/trino-main/src/test/java/io/trino/server/security/oauth2/TestOAuth2Config.java b/core/trino-main/src/test/java/io/trino/server/security/oauth2/TestOAuth2Config.java
@@ -64,7 +64,7 @@ public void testExplicitPropertyMappings()
                 .put("http-server.authentication.oauth2.client-secret", "consumer-secret")
                 .put("http-server.authentication.oauth2.scopes", "email,offline")
                 .put("http-server.authentication.oauth2.principal-field", "some-field")
-                .put("http-server.authentication.oauth2.groups-field", "groups")
+                .put("deprecated.http-server.authentication.oauth2.groups-field", "groups")
                 .put("http-server.authentication.oauth2.additional-audiences", "test-aud1,test-aud2")
                 .put("http-server.authentication.oauth2.challenge-timeout", "90s")
                 .put("http-server.authentication.oauth2.max-clock-skew", "15s")

diff --git a/docs/src/main/sphinx/security/oauth2.rst b/docs/src/main/sphinx/security/oauth2.rst
@@ -148,8 +148,6 @@ The following configuration properties are available:
        for more information.
    * - ``http-server.authentication.oauth2.principal-field``
      - The field of the access token used for the Trino user principal. Defaults to ``sub``. Other commonly used fields include ``sAMAccountName``, ``name``, ``upn``, and ``email``.
-   * - ``http-server.authentication.oauth2.groups-field``
-     - Array-based field in the access token used to list group information for a user.
    * - ``http-server.authentication.oauth2.oidc.discovery``
      - Enable reading the `OIDC provider metadata <https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata>`_.
        Default is ``true``.

diff --git a/...cker/presto-product-tests/conf/environment/singlenode-oauth2-http-proxy/config.properties b/...cker/presto-product-tests/conf/environment/singlenode-oauth2-http-proxy/config.properties
@@ -20,7 +20,6 @@ http-server.authentication.oauth2.jwks-url=http://hydra:4444/.well-known/jwks.js
 http-server.authentication.oauth2.client-id=trinodb_client_id
 http-server.authentication.oauth2.client-secret=trinodb_client_secret
 http-server.authentication.oauth2.user-mapping.pattern=(.*)(@.*)?
-http-server.authentication.oauth2.groups-field=groups
 http-server.authentication.oauth2.oidc.discovery=false
 oauth2-jwk.http-client.trust-store-path=/docker/presto-product-tests/conf/presto/etc/hydra.pem
 oauth2-jwk.http-client.http-proxy=proxy:8888

diff --git a/...ker/presto-product-tests/conf/environment/singlenode-oauth2-https-proxy/config.properties b/...ker/presto-product-tests/conf/environment/singlenode-oauth2-https-proxy/config.properties
@@ -20,7 +20,6 @@ http-server.authentication.oauth2.jwks-url=http://hydra:4444/.well-known/jwks.js
 http-server.authentication.oauth2.client-id=trinodb_client_id
 http-server.authentication.oauth2.client-secret=trinodb_client_secret
 http-server.authentication.oauth2.user-mapping.pattern=(.*)(@.*)?
-http-server.authentication.oauth2.groups-field=groups
 http-server.authentication.oauth2.oidc.discovery=false
 oauth2-jwk.http-client.trust-store-path=/docker/presto-product-tests/conf/presto/etc/cert/truststore.jks
 oauth2-jwk.http-client.trust-store-password=123456

diff --git a/.../docker/presto-product-tests/conf/environment/singlenode-oauth2-refresh/config.properties b/.../docker/presto-product-tests/conf/environment/singlenode-oauth2-refresh/config.properties
@@ -21,7 +21,6 @@ http-server.authentication.oauth2.jwks-url=http://hydra:4444/.well-known/jwks.js
 http-server.authentication.oauth2.client-id=trinodb_client_id
 http-server.authentication.oauth2.client-secret=trinodb_client_secret
 http-server.authentication.oauth2.user-mapping.pattern=(.*)(@.*)?
-http-server.authentication.oauth2.groups-field=groups
 http-server.authentication.oauth2.refresh-tokens=true
 http-server.authentication.oauth2.refresh-tokens.issued-token.timeout=30s
 http-server.authentication.oauth2.oidc.discovery=false

diff --git a/...esources/docker/presto-product-tests/conf/environment/singlenode-oauth2/config.properties b/...esources/docker/presto-product-tests/conf/environment/singlenode-oauth2/config.properties
@@ -20,7 +20,6 @@ http-server.authentication.oauth2.jwks-url=http://hydra:4444/.well-known/jwks.js
 http-server.authentication.oauth2.client-id=trinodb_client_id
 http-server.authentication.oauth2.client-secret=trinodb_client_secret
 http-server.authentication.oauth2.user-mapping.pattern=(.*)(@.*)?
-http-server.authentication.oauth2.groups-field=groups
 http-server.authentication.oauth2.oidc.discovery=false
 oauth2-jwk.http-client.trust-store-path=/docker/presto-product-tests/conf/presto/etc/hydra.pem
 

diff --git a/...es/docker/presto-product-tests/conf/environment/singlenode-oidc-refresh/config.properties b/...es/docker/presto-product-tests/conf/environment/singlenode-oidc-refresh/config.properties
@@ -18,7 +18,6 @@ http-server.authentication.oauth2.scopes=openid,offline
 http-server.authentication.oauth2.client-id=trinodb_client_id
 http-server.authentication.oauth2.client-secret=trinodb_client_secret
 http-server.authentication.oauth2.user-mapping.pattern=(.*)(@.*)?
-http-server.authentication.oauth2.groups-field=groups
 http-server.authentication.oauth2.refresh-tokens=true
 http-server.authentication.oauth2.refresh-tokens.issued-token.timeout=30s
 http-server.authentication.oauth2.oidc.use-userinfo-endpoint=false

diff --git a/.../resources/docker/presto-product-tests/conf/environment/singlenode-oidc/config.properties b/.../resources/docker/presto-product-tests/conf/environment/singlenode-oidc/config.properties
@@ -17,7 +17,6 @@ http-server.authentication.oauth2.issuer=http://hydra:4444/
 http-server.authentication.oauth2.client-id=trinodb_client_id
 http-server.authentication.oauth2.client-secret=trinodb_client_secret
 http-server.authentication.oauth2.user-mapping.pattern=(.*)(@.*)?
-http-server.authentication.oauth2.groups-field=groups
 http-server.authentication.oauth2.oidc.use-userinfo-endpoint=false
 oauth2-jwk.http-client.trust-store-path=/docker/presto-product-tests/conf/presto/etc/hydra.pem
 

diff --git a/...product-tests/src/main/java/io/trino/tests/product/jdbc/TestExternalAuthorizerOAuth2.java b/...product-tests/src/main/java/io/trino/tests/product/jdbc/TestExternalAuthorizerOAuth2.java
@@ -13,7 +13,6 @@
  */
 package io.trino.tests.product.jdbc;
 
-import com.google.common.collect.ImmutableList;
 import com.google.inject.Inject;
 import com.google.inject.name.Named;
 import io.trino.jdbc.TestingRedirectHandlerInjector;
@@ -39,10 +38,8 @@
 import java.sql.DriverManager;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
-import java.sql.SQLException;
 
 import static com.google.common.base.Preconditions.checkState;
-import static io.trino.tempto.assertions.QueryAssert.Row.row;
 import static io.trino.tempto.assertions.QueryAssert.assertThat;
 import static io.trino.tempto.query.QueryResult.forResultSet;
 import static io.trino.tests.product.TestGroups.OAUTH2;
@@ -123,18 +120,6 @@ public void shouldAuthenticateAfterTokenExpires()
         }
     }
 
-    @Test(groups = {OAUTH2, PROFILE_SPECIFIC_TESTS})
-    public void shouldReturnGroups()
-            throws SQLException
-    {
-        prepareHandler();
-        try (Connection connection = DriverManager.getConnection(jdbcUrl);
-                PreparedStatement statement = connection.prepareStatement("SELECT array_sort(current_groups())");
-                ResultSet rs = statement.executeQuery()) {
-            assertThat(forResultSet(rs)).containsOnly(row(ImmutableList.of("admin", "public")));
-        }
-    }
-
     private void prepareHandler()
     {
         TestingRedirectHandlerInjector.setRedirectHandler(uri -> {