feat(source-gmail): add OAuth flow with credentials wrapper, config migration, and Service Account auth#76065
Conversation
|
Note 📝 PR Converted to Draft More info...Thank you for creating this PR. As a policy to protect our engineers' time, Airbyte requires all PRs to be created first in draft status. Your PR has been automatically converted to draft status in respect for this policy. As soon as your PR is ready for formal review, you can proceed to convert the PR to "ready for review" status by clicking the "Ready for review" button at the bottom of the PR page. To skip draft status in future PRs, please include |
👋 Greetings, Airbyte Team Member!Here are some helpful tips and reminders for your convenience. 💡 Show Tips and TricksPR Slash CommandsAirbyte Maintainers (that's you!) can execute the following slash commands on your PR:
📚 Show Repo GuidanceHelpful Resources
|
|
|
Deploy preview for airbyte-docs ready! ✅ Preview Built with commit 5480df5. |
Serhii Lazebnyi (lazebnyi)
force-pushed
the
slazebnyi/source-gmail-granular-scopes
branch
from
70cfd3f to
4e39f55
Compare
|
/publish-connectors-prerelease
|
… and config migration - Wrap client_id, client_secret, client_refresh_token under a credentials object with oneOf auth type - Add predicate_key/predicate_value to advanced_auth for proper OAuth button rendering - Update path_in_connector_config to use credentials prefix - Add config_normalization_rules with ConfigMigration to transparently migrate old top-level configs - Update authenticator references to read from config.credentials - Update documentation to reflect new config structure Co-Authored-By: gl_serhii.lazebnyi <serglazebny@gmail.com>
|
/publish-connectors-prerelease
|
devin-ai-integration
bot
changed the title
|
/bump-version type=patch |
Co-Authored-By: gl_serhii.lazebnyi <serglazebny@gmail.com>
|
/publish-connectors-prerelease
|
…e 0.0.52 row Co-Authored-By: gl_serhii.lazebnyi <serglazebny@gmail.com>
|
/publish-connectors-prerelease
|
…ticator to hide OAuth fields behind button Co-Authored-By: gl_serhii.lazebnyi <serglazebny@gmail.com>
devin-ai-integration
bot
changed the title
|
/publish-connectors-prerelease
|
Serhii Lazebnyi (lazebnyi)
requested a review
from Aldo Gonzalez (aldogonzalez8)
Aldo Gonzalez (aldogonzalez8)
left a comment
Aldo Gonzalez (aldogonzalez8)
left a comment
There was a problem hiding this comment.
APPROVED
left some questions
| additionalProperties: true | ||
| config_normalization_rules: | ||
| type: ConfigNormalizationRules | ||
| config_migrations: |
There was a problem hiding this comment.
I remember this works fine, did you have the chance to manually test it?
There was a problem hiding this comment.
Prerelease 0.0.52-preview.5480df5 was built and tested via version pinning in Cloud. The OAuth button renders correctly and the oneOf dropdown shows both auth types. The config migration structure is modeled after other connectors that use ConfigMigration with ConfigAddFields + ConfigRemoveFields.
One limitation we found: client_id/client_secret field hiding behind the OAuth button couldn't be fully verified via prerelease because the global cloud_registry.json still points to v0.0.49 (which has no advanced_auth). The prerelease per-version registry JSON has the correct advanced_auth (structurally identical to source-google-sheets), so field hiding should work once the connector is officially published.
| - - client_id | ||
| - - client_secret | ||
| - - client_refresh_token |
There was a problem hiding this comment.
are these array of arrays?
There was a problem hiding this comment.
Also, do we need to remove them? I liked the idea that we could just pin the previous version.
There was a problem hiding this comment.
Yes — field_pointers expects an array of field pointers, where each field pointer is itself an array of path segments. In YAML, - - client_id represents [["client_id"]]. If you had a nested field like credentials.client_id, it would be:
field_pointers:
- - credentials
- client_idThis is the standard format used by ConfigRemoveFields in the CDK.
There was a problem hiding this comment.
The removal is a cleanup step — after ConfigAddFields copies the values into credentials.client_id etc., the old top-level fields become stale duplicates. Without removal, the migrated config would have both config.client_id and config.credentials.client_id with the same value, which could be confusing.
That said, the removal only runs on configs that still have the old top-level format (guarded by the condition), so it's safe. And pinning the previous version for rollback would still work since the migration only triggers on old-format configs — configs that were already migrated wouldn't be affected.
This is ultimately a design choice for Serhii Lazebnyi (@lazebnyi) to decide on — happy to remove ConfigRemoveFields if you prefer keeping the stale top-level fields for extra safety.
3 participants
What
Add
oauth_connector_input_specificationwith granular scopes to support the Granular OAuth Scopes project, and restructure the connector's spec so that OAuth fields (client_id,client_secret,client_refresh_token) are properly hidden behind the platform's "Authenticate" button instead of being rendered as bare input fields. Also adds Service Account Key authentication as a second auth type.References https://github.com/airbytehq/airbyte-internal-issues/issues/16023
How
client_id,client_secret, andclient_refresh_tokeninside acredentialsobject with aoneOfauth type selector containing two options: OAuth and Service Account Key (matching the pattern used bysource-google-sheetsand other Google connectors).SelectiveAuthenticator: Replaced the inlineOAuthAuthenticatoronbase_requesterwith aSelectiveAuthenticatorthat dispatches oncredentials.auth_type:Client→oauth_authenticator(OAuth refresh-token flow)Service→jwt_profile_assertion_oauth_authenticator(JWT profile assertion via service account key)advanced_auth: Addedpredicate_key: [credentials, auth_type]andpredicate_value: Clientso the platform UI renders the OAuth button correctly. Addedoauth_connector_input_specificationwith thegmail.readonlyscope.path_in_connector_config: Updated all OAuth output paths to point tocredentials.client_id,credentials.client_secret, andcredentials.client_refresh_token.config_normalization_ruleswith aConfigMigrationthat transparently moves top-level OAuth fields into the nestedcredentialsobject for existing connections (so this is non-breaking for current users).Review guide
airbyte-integrations/connectors/source-gmail/manifest.yaml— all functional changes (authenticators, spec, config migration, advanced_auth)airbyte-integrations/connectors/source-gmail/metadata.yaml— version bump to 0.0.52docs/integrations/sources/gmail.md— updated config table and changelogsource-google-sheets. However, Gmail API service accounts typically require domain-wide delegation with asubject(the user email to impersonate). The current implementation does not include asubjectfield — verify whether this works or if asubjectproperty needs to be added to the Service Account oneOf option.oneOfoption (Service Account) is that the platform UI does not hidecomplete_oauth_server_output_specificationfields when there is only a singleoneOfoption. Confirm via prerelease thatclient_idandclient_secretare now hidden behind the "Authenticate" button.ConfigAddFields(condition: old top-level fields exist andcredentialsis absent), thenConfigRemoveFields(condition:credentialsis present). Confirm the CDK applies these transformations sequentially on the mutated config within a singleConfigMigration.User Impact
Can this PR be safely reverted and rolled back?
Link to Devin session: https://app.devin.ai/sessions/7bbf775a6ee347c9a4ee771219c3e133
Requested by: Serhii Lazebnyi (@lazebnyi)