Add OAuth support for CLI extensions

[stephanos]

What was changed

Redo of #886.

Adding:

1. ability to code-gen just options-sets
2. ability to reference option-sets across codegen YAML input files
3. shared CommonOptions and ClientOptions generated for cliext
4. ClientOptionsBuilder for building client dial options
5. integration of OAuth token into client dial options (plus integration tests)
6. StoreClientOAuthOptions and LoadClientOAuth for oauth config
7. NewLogger helper for creating a new logger from flags

Why?

To make OAuth a first-class authentication mechanism in the Temporal CLI and CLI extensions.

Checklist

1. Closes

2. How was this tested:

9. Any docs updates needed?

[cretz]

Looks great, comments about some detailed things, but the general approach of "external option set" and client config loading and such makes sense.

[cretz]

Pedantic, but If the second parameter isn't really an "options", might as well just put Build as a method on *ClientOptionsBuilder

[cretz]

Isn't namespace already on the options?

[cretz]

Pedantic, but would also consider putting this as a method on the builder (don't even have to have it return a func, can just make the method the func, e.g. func (c *ClientOptionsBuilder) GetOAuthToken(ctx context.Context) (string, error) {, but see comment a couple of lines down above why we'd want some before-anon-func work)

[cretz]

I would have expected oauth2 package to handle expiration, refresh, etc. Is this logic basically what oauth2.ReuseTokenSourceWithExpiry does? I wonder if we even need to provide config/token structs ourselves instead of reusing *oauth2.Config and *oauth2.Token (and documenting which values of those we support for load/store). If we do still want our oauth config structs, IMO we should offer a NewTokenSource() func on *OAuthConfig. This will help with some libraries that want the oauth data types, e.g. https://pkg.go.dev/google.golang.org/grpc/credentials/oauth#TokenSource.

[stephanos]

Good call! I must have missed ReuseTokenSourceWithExpiry.

re OAuthClientConfig and OAuthToken have the benefit of hiding the oauth2 as an implementation detail. Another benefit is that they allow attaching RequestParams which we need for the Cloud CLI (to provide the audience).

But I can also see how NewTokenSource can be useful for integration as you point out. I don't know what weighs more, the benefit of hiding oauth2 as an impl detail or the convenience of exposing it via NewTokenSource().

[cretz]

re OAuthClientConfig and OAuthToken have the benefit of hiding the oauth2 as an implementation detail

Why hide that implementation detail? Not sure any other Go library using OAuth would (e.g. the Go gRPC library). I see code was updated, so not easily seeing where request params is used in current PR, but would have to see how other Go OAuth clients are setting such request params. Definitely can have something like:

type OAuthConfig struct {
	ClientConfig *oauth2.Config
	Token *oauth2.Token
	ClientRequestParams map[string]string
}

[stephanos]

👍 okay, let's expose oauth2, I agree it is simpler and seems to really be the library everyone uses anyway.

re request params: since they are not needed for token refresh, it's just a config field as far as cliext is concerned.

[cretz]

But where are the request params used by cliext code?

[stephanos]

Right; I also just realized that since AFAIK the audience request param is only required during login, we could let Cloud CLI (and other CLIs) deal with that themselves. I still had it here because originally I thought it was required for token refresh or the CLI's auto-login - but both of these aren't true (anymore). I'll remove it.

[cretz]

IMO we should not re-lookup oauth config on each token need, it should be bound to original the loaded configuration. This means long-running CLI commands do not get logged in as maybe another user if the file changes out from under. I'd move this loading part out of to before the func.

[cretz]

Not seeing where this is checking whether oauth is configured

[cretz]

I think it's clearer if the --config-file and --profile flags are not bound to env vars on the flags themselves. IMO they should default to unset and let envconfig resolve them at runtime as the true canonical place for knowing what these are based on environment (in case we want to change that some day).

If a programmatic user needs to know the defaults of these values when the flag is not otherwise specified, we can provide helpers if what we have is not good enough already.

Also, BindFlagEnvVar is a relic of the env days and since envconfig came about in #764, BindFlagEnvVar was reduced to only applying for env. But now that we are exporting some of this functionality, I would be ok just hardcoding the TEMPORAL_ENV env var mapping somewhere and removing the concept of optionContext altogether. And then, at that point, we might as well remove support for the env: in the YAML file.

[stephanos]

👍 on --config-file and --profile
👍 moved out TEMPORAL_ENV and removed optionContext

Regarding implied-env; is that actually used anywhere?

[cretz]

Regarding implied-env; is that actually used anywhere?

That's the only one that's used, it's env: that's basically not used anymore except for the one TEMPORAL_ENV, so now we can probably remove env:. FWIW, env: used to be used in lots of places until envconfig came about and basically took over environment variables except for this one legacy one.

[stephanos]

Right; I've removed env: but I can't see where ImpliedEnv is actually used. I can't see it. My AI coding agent suggested appending it to flag descriptions; I didn't commit it here but it seemed like a good idea.

[stephanos]

^ all moved to cliext/logger.go

[stephanos]

Section where we integrate OAuth into the code that was moved here from temporalcli/client.go

[stephanos]

Now manually binding TEMPORAL_ENV here.

[stephanos]

Removed

[stephanos]

Changed over to ImpliedEnv.

[cretz]

Looking good, I think it's only detail stuff now

[cretz]

I am curious on this, do we think we should be re-persisting this refreshed token to disk? What does tcld do?

[stephanos]

Good callout; the original PR I closed wrote the new access token to disk. It got lost in the reshuffle. I'll need to update that.

[cretz]

Does tcld re-persist?

[stephanos]

Yes, it does: https://github.com/temporalio/tcld/blob/ab73fcc36aede9a87c0ba2a79b4e743a4ef6932b/app/token_config.go#L119-L123

[cretz]

re OAuthClientConfig and OAuthToken have the benefit of hiding the oauth2 as an implementation detail

Why hide that implementation detail? Not sure any other Go library using OAuth would (e.g. the Go gRPC library). I see code was updated, so not easily seeing where request params is used in current PR, but would have to see how other Go OAuth clients are setting such request params. Definitely can have something like:

type OAuthConfig struct {
	ClientConfig *oauth2.Config
	Token *oauth2.Token
	ClientRequestParams map[string]string
}

[cretz]

I don't think this properly accounts for if !common.DisableConfigFile || !common.DisableConfigEnv that the other envconfig loading does above.

Would be ok if we wanted to go ahead and have Go SDK's env config support "additional data" to avoid this double-load for everyone that is doing basic no-auth CLI calls (happens commonly in cases like proxies). But also ok if we want to double load while we wait for that.

[stephanos]

👍 Absolutely; adding that check now. (just for DisableConfigFile since the OAuth cannot be configured via env vars)

[cretz]

Regarding implied-env; is that actually used anywhere?

That's the only one that's used, it's env: that's basically not used anymore except for the one TEMPORAL_ENV, so now we can probably remove env:. FWIW, env: used to be used in lots of places until envconfig came about and basically took over environment variables except for this one legacy one.

[cretz]

Where did implied-env go for config-file and profile? implied-env basically is just documentation/usage help, it has no runtime component.

[stephanos]

👍 it got lost when I moved it, added back