SubCoder1
diff --git a/‎CHANGES.txt
Lines changed: 1 addition & 0 deletions b/‎CHANGES.txt
Lines changed: 1 addition & 0 deletions
diff --git a/‎mysql-connector-python/lib/mysql/connector/abstracts.py
Lines changed: 37 additions & 8 deletions b/‎mysql-connector-python/lib/mysql/connector/abstracts.py
Lines changed: 37 additions & 8 deletions
diff --git a/‎mysql-connector-python/lib/mysql/connector/aio/abstracts.py
Lines changed: 34 additions & 9 deletions b/‎mysql-connector-python/lib/mysql/connector/aio/abstracts.py
Lines changed: 34 additions & 9 deletions
diff --git a/‎mysql-connector-python/lib/mysql/connector/aio/authentication.py
Lines changed: 7 additions & 7 deletions b/‎mysql-connector-python/lib/mysql/connector/aio/authentication.py
Lines changed: 7 additions & 7 deletions
diff --git a/‎mysql-connector-python/lib/mysql/connector/aio/connection.py
Lines changed: 35 additions & 13 deletions b/‎mysql-connector-python/lib/mysql/connector/aio/connection.py
Lines changed: 35 additions & 13 deletions
@@ -15,6 +15,7 @@ v9.1.0
 - WL#16444: Drop build support for DEB packages
 - WL#16442: Upgrade gssapi version to 1.8.3
 - WL#16411: Improve wheel metadata information for Classic and XDevAPI connectors
+- WL#16341: OpenID Connect (Oauth2 - JWT) Authentication Support
 - WL#16307: Remove Python 3.8 support
 - WL#16306: Add support for Python 3.13
 
 
@@ -140,13 +140,18 @@
     "No supported TLS protocol version found in the 'tls-versions' list '{}'. "
 )
 
-KRB_SERVICE_PINCIPAL_ERROR = (
+KRB_SERVICE_PRINCIPAL_ERROR = (
     'Option "krb_service_principal" {error}, must be a string in the form '
     '"primary/instance@realm" e.g "ldap/ldapauth@MYSQL.COM" where "@realm" '
     "is optional and if it is not given will be assumed to belong to the "
     "default realm, as configured in the krb5.conf file."
 )
 
+OPENID_TOKEN_FILE_ERROR = (
+    'Option "openid_token_file" {error}, it must be a string in the form '
+    '"path/to/openid/token/file".'
+)
+
 MYSQL_PY_TYPES = (
     Decimal,
     bytes,
@@ -215,6 +220,7 @@ def __init__(self) -> None:
         self._oci_config_profile: Optional[str] = None
         self._webauthn_callback: Optional[Union[str, Callable[[str], None]]] = None
         self._krb_service_principal: Optional[str] = None
+        self._openid_token_file: Optional[str] = None
 
         self._use_unicode: bool = True
         self._get_warnings: bool = False
@@ -724,10 +730,15 @@ def config(self, **kwargs: Any) -> None:
         if self._unix_socket and os.name == "posix":
             self._ssl_disabled = True
 
-        if self._ssl_disabled and self._auth_plugin == "mysql_clear_password":
-            raise InterfaceError(
-                "Clear password authentication is not supported over insecure channels"
-            )
+        if self._ssl_disabled:
+            if self._auth_plugin == "mysql_clear_password":
+                raise InterfaceError(
+                    "Clear password authentication is not supported over insecure channels"
+                )
+            if self._auth_plugin == "authentication_openid_connect_client":
+                raise InterfaceError(
+                    "OpenID Connect authentication is not supported over insecure channels"
+                )
 
         if set_ssl_flag:
             if "verify_cert" not in self._ssl:
@@ -822,22 +833,38 @@ def config(self, **kwargs: Any) -> None:
             self._krb_service_principal = config["krb_service_principal"]
             if not isinstance(self._krb_service_principal, str):
                 raise InterfaceError(
-                    KRB_SERVICE_PINCIPAL_ERROR.format(error="is not a string")
+                    KRB_SERVICE_PRINCIPAL_ERROR.format(error="is not a string")
                 )
             if self._krb_service_principal == "":
                 raise InterfaceError(
-                    KRB_SERVICE_PINCIPAL_ERROR.format(
+                    KRB_SERVICE_PRINCIPAL_ERROR.format(
                         error="can not be an empty string"
                     )
                 )
             if "/" not in self._krb_service_principal:
                 raise InterfaceError(
-                    KRB_SERVICE_PINCIPAL_ERROR.format(error="is incorrectly formatted")
+                    KRB_SERVICE_PRINCIPAL_ERROR.format(error="is incorrectly formatted")
                 )
 
         if self._webauthn_callback:
             self._validate_callable("webauth_callback", self._webauthn_callback, 1)
 
+        if config.get("openid_token_file") is not None:
+            self._openid_token_file = config["openid_token_file"]
+            if not isinstance(self._openid_token_file, str):
+                raise InterfaceError(
+                    OPENID_TOKEN_FILE_ERROR.format(error="is not a string")
+                )
+            if self._openid_token_file == "":
+                raise InterfaceError(
+                    OPENID_TOKEN_FILE_ERROR.format(error="cannot be an empty string")
+                )
+            if not os.path.exists(self._openid_token_file):
+                raise InterfaceError(
+                    f"The path '{self._openid_token_file}' provided via 'openid_token_file' "
+                    "does not exist"
+                )
+
     def _add_default_conn_attrs(self) -> None:
         """Adds the default connection attributes."""
 
@@ -2036,6 +2063,7 @@ def cmd_change_user(
         password3: str = "",
         oci_config_file: str = "",
         oci_config_profile: str = "",
+        openid_token_file: str = "",
     ) -> Optional[Dict[str, Any]]:
         """Changes the current logged in user.
 
@@ -2055,6 +2083,7 @@ def cmd_change_user(
             password3: New account's password factor 3.
             oci_config_file: OCI configuration file location (path-like string).
             oci_config_profile: OCI configuration profile location (path-like string).
+            openid_token_file: OpenID Connect token file location (path-like string).
 
         Returns:
             ok_packet: Dictionary containing the OK packet information.
 
@@ -65,8 +65,9 @@
 
 from ..abstracts import (
     DUPLICATED_IN_LIST_ERROR,
-    KRB_SERVICE_PINCIPAL_ERROR,
+    KRB_SERVICE_PRINCIPAL_ERROR,
     MYSQL_PY_TYPES,
+    OPENID_TOKEN_FILE_ERROR,
     TLS_V1_3_SUPPORTED,
     TLS_VER_NO_SUPPORTED,
     TLS_VERSION_ERROR,
@@ -183,6 +184,7 @@ def __init__(
         raw: bool = False,
         kerberos_auth_mode: Optional[str] = None,
         krb_service_principal: Optional[str] = None,
+        openid_token_file: Optional[str] = None,
         webauthn_callback: Optional[Union[str, Callable[[str], None]]] = None,
         allow_local_infile: bool = DEFAULT_CONFIGURATION["allow_local_infile"],
         allow_local_infile_in_path: Optional[str] = DEFAULT_CONFIGURATION[
@@ -260,6 +262,7 @@ def __init__(
         self._converter_str_fallback: bool = converter_str_fallback
         self._kerberos_auth_mode: Optional[str] = kerberos_auth_mode
         self._krb_service_principal: Optional[str] = krb_service_principal
+        self._openid_token_file: Optional[str] = openid_token_file
         self._allow_local_infile: bool = allow_local_infile
         self._allow_local_infile_in_path: Optional[str] = allow_local_infile_in_path
         self._get_warnings: bool = get_warnings
@@ -329,11 +332,16 @@ def _validate_connection_options(self) -> None:
         if self._unix_socket and os.name == "posix":
             self._ssl_disabled = True
 
-        if self._ssl_disabled and self._auth_plugin == "mysql_clear_password":
-            raise InterfaceError(
-                "Clear password authentication is not supported over insecure "
-                " channels"
-            )
+        if self._ssl_disabled:
+            if self._auth_plugin == "mysql_clear_password":
+                raise InterfaceError(
+                    "Clear password authentication is not supported over insecure "
+                    " channels"
+                )
+            if self._auth_plugin == "authentication_openid_connect_client":
+                raise InterfaceError(
+                    "OpenID Connect authentication is not supported over insecure channels"
+                )
 
         if not isinstance(self._port, int):
             raise InterfaceError("TCP/IP port number should be an integer")
@@ -414,22 +422,37 @@ def _validate_connection_options(self) -> None:
         if self._krb_service_principal:
             if not isinstance(self._krb_service_principal, str):
                 raise InterfaceError(
-                    KRB_SERVICE_PINCIPAL_ERROR.format(error="is not a string")
+                    KRB_SERVICE_PRINCIPAL_ERROR.format(error="is not a string")
                 )
             if self._krb_service_principal == "":
                 raise InterfaceError(
-                    KRB_SERVICE_PINCIPAL_ERROR.format(
+                    KRB_SERVICE_PRINCIPAL_ERROR.format(
                         error="can not be an empty string"
                     )
                 )
             if "/" not in self._krb_service_principal:
                 raise InterfaceError(
-                    KRB_SERVICE_PINCIPAL_ERROR.format(error="is incorrectly formatted")
+                    KRB_SERVICE_PRINCIPAL_ERROR.format(error="is incorrectly formatted")
                 )
 
         if self._webauthn_callback:
             self._validate_callable("webauth_callback", self._webauthn_callback, 1)
 
+        if self._openid_token_file:
+            if not isinstance(self._openid_token_file, str):
+                raise InterfaceError(
+                    OPENID_TOKEN_FILE_ERROR.format(error="is not a string")
+                )
+            if self._openid_token_file == "":
+                raise InterfaceError(
+                    OPENID_TOKEN_FILE_ERROR.format(error="cannot be an empty string")
+                )
+            if not os.path.exists(self._openid_token_file):
+                raise InterfaceError(
+                    f"The path '{self._openid_token_file}' provided via 'openid_token_file' "
+                    "does not exist"
+                )
+
     def _validate_tls_ciphersuites(self) -> None:
         """Validates the tls_ciphersuites option."""
         tls_ciphersuites = []
@@ -1569,6 +1592,7 @@ async def cmd_change_user(
         password3: str = "",
         oci_config_file: str = "",
         oci_config_profile: str = "",
+        openid_token_file: str = "",
     ) -> Optional[OkPacketType]:
         """Changes the current logged in user.
 
@@ -1588,6 +1612,7 @@ async def cmd_change_user(
             password3: New account's password factor 3.
             oci_config_file: OCI configuration file location (path-like string).
             oci_config_profile: OCI configuration profile location (path-like string).
+            openid_token_file: OpenID Connect token file location (path-like string).
 
         Returns:
             ok_packet: Dictionary containing the OK packet information.
 
@@ -32,8 +32,6 @@
 
 __all__ = ["MySQLAuthenticator"]
 
-import copy
-
 from typing import TYPE_CHECKING, Any, Dict, Optional
 
 from ..errors import InterfaceError, NotSupportedError, get_exception
@@ -89,6 +87,10 @@ def plugin_config(self) -> Dict[str, Any]:
         """
         return self._plugin_config
 
+    def update_plugin_config(self, config: Dict[str, Any]) -> None:
+        """Update the 'plugin_config' instance variable"""
+        self._plugin_config.update(config)
+
     def _switch_auth_strategy(
         self,
         new_strategy_name: str,
@@ -243,12 +245,12 @@ async def authenticate(
         database: Optional[str] = None,
         charset: int = DEFAULT_CHARSET_ID,
         client_flags: int = 0,
+        ssl_enabled: bool = False,
         max_allowed_packet: int = DEFAULT_MAX_ALLOWED_PACKET,
         auth_plugin: Optional[str] = None,
         auth_plugin_class: Optional[str] = None,
         conn_attrs: Optional[Dict[str, str]] = None,
         is_change_user_request: bool = False,
-        **plugin_config: Any,
     ) -> bytes:
         """Perform the authentication phase.
 
@@ -264,15 +266,13 @@ async def authenticate(
             database: Initial database name for the connection.
             charset: Client charset (see [1]), only the lower 8-bits.
             client_flags: Integer representing client capabilities flags.
+            ssl_enabled: Boolean indicating whether SSL is enabled,
             max_allowed_packet: Maximum packet size.
             auth_plugin: Authorization plugin name.
             auth_plugin_class: Authorization plugin class (has higher precedence
                                than the authorization plugin name).
             conn_attrs: Connection attributes.
             is_change_user_request: Whether is a `change user request` operation or not.
-            plugin_config: Custom configuration to be passed to the auth plugin
-                           when invoked. The parameters defined here will override the
-                           ones defined in the auth plugin itself.
 
         Returns:
             ok_packet: OK packet.
@@ -287,7 +287,7 @@ async def authenticate(
         # update credentials, plugin config and plugin class
         self._username = username
         self._passwords = {1: password1, 2: password2, 3: password3}
-        self._plugin_config = copy.deepcopy(plugin_config)
+        self._ssl_enabled = ssl_enabled
         self._auth_plugin_class = auth_plugin_class
 
         # client's handshake response
 
@@ -242,11 +242,17 @@ async def _do_handshake(self) -> None:
             self._charset = charsets.get_by_collation(self._charset_collation)
 
         if not self._handshake["capabilities"] & ClientFlag.SSL:
-            if self._auth_plugin == "mysql_clear_password" and not self.is_secure:
-                raise InterfaceError(
-                    "Clear password authentication is not supported over "
-                    "insecure channels"
-                )
+            if not self.is_secure:
+                if self._auth_plugin == "mysql_clear_password":
+                    raise InterfaceError(
+                        "Clear password authentication is not supported over "
+                        "insecure channels"
+                    )
+                if self._auth_plugin == "authentication_openid_connect_client":
+                    raise InterfaceError(
+                        "OpenID Connect authentication is not supported over "
+                        "insecure channels"
+                    )
             if self._ssl_verify_cert:
                 raise InterfaceError(
                     "SSL is required but the server doesn't support it",
@@ -316,6 +322,17 @@ async def _do_auth(self) -> None:
             await self._socket.switch_to_ssl(ssl_context)
             self._ssl_active = True
 
+        # Add the custom configurations required by specific auth plugins
+        self._authenticator.update_plugin_config(
+            config={
+                "krb_service_principal": self._krb_service_principal,
+                "oci_config_file": self._oci_config_file,
+                "oci_config_profile": self._oci_config_profile,
+                "webauthn_callback": self._webauthn_callback,
+                "openid_token_file": self._openid_token_file,
+            }
+        )
+
         ok_pkt = await self._authenticator.authenticate(
             sock=self._socket,
             handshake=self._handshake,
@@ -326,13 +343,10 @@ async def _do_auth(self) -> None:
             database=self._database,
             charset=self._charset.charset_id,
             client_flags=self._client_flags,
+            ssl_enabled=self._ssl_active,
             auth_plugin=self._auth_plugin,
             auth_plugin_class=self._auth_plugin_class,
             conn_attrs=self._connection_attrs,
-            krb_service_principal=self._krb_service_principal,
-            oci_config_file=self._oci_config_file,
-            oci_config_profile=self._oci_config_profile,
-            webauthn_callback=self._webauthn_callback,
         )
         self._handle_ok(ok_pkt)
 
@@ -1297,6 +1311,7 @@ async def cmd_change_user(
         password3: str = "",
         oci_config_file: str = "",
         oci_config_profile: str = "",
+        openid_token_file: str = "",
     ) -> Optional[OkPacketType]:
         """Change the current logged in user.
 
@@ -1329,9 +1344,19 @@ async def cmd_change_user(
 
         if oci_config_file:
             self._oci_config_file = oci_config_file
-
+        if openid_token_file:
+            self._openid_token_file = openid_token_file
         self._oci_config_profile = oci_config_profile
 
+        # Update the custom configurations needed by specific auth plugins
+        self._authenticator.update_plugin_config(
+            config={
+                "oci_config_file": self._oci_config_file,
+                "oci_config_profile": self._oci_config_profile,
+                "openid_token_file": self._openid_token_file,
+            }
+        )
+
         ok_packet: bytes = await self._authenticator.authenticate(
             sock=self._socket,
             handshake=self._handshake,
@@ -1345,9 +1370,6 @@ async def cmd_change_user(
             ssl_enabled=self._ssl_active,
             auth_plugin=self._auth_plugin,
             conn_attrs=self._connection_attrs,
-            auth_plugin_class=self._auth_plugin_class,
-            oci_config_file=self._oci_config_file,
-            oci_config_profile=self._oci_config_profile,
             is_change_user_request=True,
         )