feat(sqlalchemy): Add Support for externalAuthentication

[IceS2]

Description

Adds support for the 'externalAuthentication' Trino query URL parameter.

If 'externalAuthentication' is passed on the query arguments:

• Sets 'http_scheme' to 'https'
• Sets 'auth' to OAuth2Authentication()

Non-technical explanation

It allows to use SQLAlchemy with OAuth2Authentication.

Release notes

( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
( x ) Release notes are required, with the following suggested text:

* Add support to 'externalAuthentication' SQLAlchemy URL parameter.  ({issue}`#343`)

closes #343

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[IceS2]

CLA should be good to go (=

[hovaesco]

I understand that it's aligning with JDBC driver, but you can simply pass "auth": OAuth2Authentication() in connect_args.

[IceS2]

That's what I've been doing when using the client directly. But I've been running into an issue passing it as a class when trying to use it from some other projects such as ipython-sql.
Eventually I found out that ipython-sql allows you to actually pass the -creator parameter to bypass the configuration by sending a connection straight away but it'd be great if it would work without this workaround.

[hashhar]

Do we have good behaviour when someone has externalAuthentication in URI and has explicitly set a different auth mechanism? What takes precedence? I'd like to avoid this situation of having multiple ways of configuring something since it leads to more combination of things to test and edge cases to think about.

[IceS2]

Hey @hashhar, I have similar feelings to be honest. I just extended the way it's being done for SQLAlchemy URIs (It's already done this way for Basic Authentication, JWT Authentication and Cert Authentication).

I think it makes sense to align with the JDBC driver and have this for SQLAlchemy... If the user passes multiple Auth Methods I think it's on the user side to be honest, but I guess it could be improved by validating if they did this somehow (checking the query args and connect_args)

[hovaesco]

This validation seems useful but out of scope of this PR because it needs to apply to other auth methods as outlined above.

[IceS2]

You mean validating if the user passes multiple auth methods?

So you think it'd be fine to keep that responsibility on the user side so far? I'd be fine with it (=

[hovaesco]

This validation seems useful but out of scope of this PR because it needs to apply to other auth methods as outlined above.

[hashhar]

@cla-bot check

[cla-bot]

The cla-bot has been summoned, and re-checked this pull request!

[esemeniuc]

merge?

[hashhar]

Sorry for forgetting to come back to this. I'll just squash the commits and then merge this.

Thanks for your work @esemeniuc.

[hashhar]

Squashed the commits + reworded commit msg, will merge once CI is finished.

[hashhar]

Sorry this ended up waiting so long @IceS2.

We plan a release today/tomorrow and will announce on the #python-client on the Trino Slack.

[IceS2]

Sorry this ended up waiting so long @IceS2.

We plan a release today/tomorrow and will announce on the #python-client on the Trino Slack.

Hey! Don't worry (=
I know sometimes it takes time! I'm glad I could collaborate a bit with you folks o/