feat(experimentalIdentityAndAuth): enable identity and auth by default

`experimentalIdentityAndAuth` behavior is now the default auth behavior.

The `experimentalIdentityAndAuth` flag is now oppositely replaced with
`useLegacyAuth`, which enables legacy auth behavior for backward
compatibility concerns.

Author: Steven Yuan

.changeset/four-cougars-collect.md

@@ -0,0 +1,2 @@
+---
+---

CONTRIBUTING.md

@@ -30,7 +30,7 @@ under development:
 
 Experimental Feature | Flag                          | Description
 ---------------------|-------------------------------|------------
-Identity & Auth      | `experimentalIdentityAndAuth` | Standardize identity and auth integrations to match the Smithy specification (see [Authentication Traits](https://smithy.io/2.0/spec/authentication-traits.html)). Newer capabilities include support for multiple auth schemes, `@optionalAuth`, and standardized identity interfaces for authentication schemes both in code generation and TypeScript packages. In `smithy-typescript`, `@httpApiKeyAuth` will be updated to use the new standardized interfaces. In `aws-sdk-js-v3` (`smithy-typescript`'s largest customer), this will affect `@aws.auth#sigv4` and `@httpBearerAuth` implementations, but is planned to be completely backwards-compatible.
+N/A                  | N/A                           | N/A
 
 ## Reporting Bugs/Feature Requests
 

README.md

@@ -197,7 +197,7 @@ By default, the Smithy TypeScript code generators provide the code generation fr
 |`private`|No|Whether the package is `private` in `package.json`. The default value is `false`.|
 |`requiredMemberMode`|No|**NOT RECOMMENDED DUE TO BACKWARD COMPATIBILITY CONCERNS.** Sets whether members marked with the `@required` trait are allowed to be `undefined`. See more details on the risks in `TypeScriptSettings.RequiredMemberMode`. The default value is `nullable`.|
 |`createDefaultReadme`|No|Whether to generate a default `README.md` for the package. The default value is `false`.|
-|`experimentalIdentityAndAuth`|No|Experimental feature that standardizes identity and auth integrations to match the Smithy specification (see [Authentication Traits](https://smithy.io/2.0/spec/authentication-traits.html)). See [the experimental features section for more details](CONTRIBUTING.md#experimental-features).|
+|`useLegacyAuth`|No|**NOT RECOMMENDED, AVAILABLE ONLY FOR BACKWARD COMPATIBILITY CONCERNS.** Flag that enables using legacy auth. When in doubt, use the default identity and auth behavior (not configuring `useLegacyAuth`) as the golden path.|
 
 #### `typescript-client-codegen` plugin artifacts
 

packages/experimental-identity-and-auth/src/integration/httpApiKeyAuth.integ.spec.ts

@@ -7,7 +7,7 @@ import {
 import { requireRequestsFrom } from "@smithy/util-test";
 
 describe("@httpApiKeyAuth integration tests", () => {
-  // TODO(experimentalIdentityAndAuth): should match `HttpApiKeyAuthService` `@httpApiKeyAuth` trait
+  // Match `HttpApiKeyAuthService` `@httpApiKeyAuth` trait
   const MOCK_API_KEY_NAME = "Authorization";
   const MOCK_API_KEY_SCHEME = "ApiKey";
   const MOCK_API_KEY = "APIKEY_123";

scripts/build-generated-test-packages.js

@@ -37,10 +37,10 @@ const releasedClientDir = path.join(
     "typescript-codegen"
 );
 
-// TODO(experimentalIdentityAndAuth): build generic client for integration tests
-const weatherExperimentalIdentityAndAuthClientDir = path.join(
+// Build generic legacy auth client for integration tests
+const weatherLegacyAuthClientDir = path.join(
     codegenTestDir,
-    "client-experimental-identity-and-auth",
+    "client-legacy-auth",
     "typescript-client-codegen"
 );
 
@@ -50,14 +50,14 @@ const weatherSsdkDir = path.join(
     "typescript-server-codegen"
 )
 
-// TODO(experimentalIdentityAndAuth): add `@httpApiKeyAuth` client for integration tests
+// Build `@httpApiKeyAuth` client for integration tests
 const httpApiKeyAuthClientDir = path.join(
     codegenTestDir,
     "identity-and-auth-http-api-key-auth",
     "typescript-client-codegen"
 );
 
-// TODO(experimentalIdentityAndAuth): add `@httpBearerAuth` client for integration tests
+// Build `@httpBearerAuth` client for integration tests
 const httpBearerAuthClientDir = path.join(
     codegenTestDir,
     "identity-and-auth-http-bearer-auth",
@@ -94,11 +94,8 @@ const buildAndCopyToNodeModules = async (packageName, codegenDir, nodeModulesDir
 (async () => {
   await buildAndCopyToNodeModules("weather", weatherClientDir, nodeModulesDir);
   await buildAndCopyToNodeModules("weather-ssdk", weatherSsdkDir, nodeModulesDir);
-  // TODO(experimentalIdentityAndAuth): build generic client for integration tests
-  await buildAndCopyToNodeModules("@smithy/weather-experimental-identity-and-auth", weatherExperimentalIdentityAndAuthClientDir, nodeModulesDir);
-  // TODO(experimentalIdentityAndAuth): add `@httpApiKeyAuth` client for integration tests
+  await buildAndCopyToNodeModules("@smithy/weather-legacy-auth", weatherLegacyAuthClientDir, nodeModulesDir);
   await buildAndCopyToNodeModules("@smithy/identity-and-auth-http-api-key-auth-service", httpApiKeyAuthClientDir, nodeModulesDir);
-  // TODO(experimentalIdentityAndAuth): add `@httpBearerAuth` client for integration tests
   await buildAndCopyToNodeModules("@smithy/identity-and-auth-http-bearer-auth-service", httpBearerAuthClientDir, nodeModulesDir);
   // TODO(released-version-test): Test released version of smithy-typescript codegenerators, but currently is not working
   // await buildAndCopyToNodeModules("released", releasedClientDir, undefined);

smithy-typescript-codegen-test/example-weather-customizations/src/main/java/example/weather/SupportWeatherSigV4Auth.java

@@ -0,0 +1,133 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package example.weather;
+
+import java.util.Optional;
+import java.util.function.Consumer;
+import software.amazon.smithy.codegen.core.Symbol;
+import software.amazon.smithy.codegen.core.SymbolReference;
+import software.amazon.smithy.model.shapes.ShapeId;
+import software.amazon.smithy.typescript.codegen.ApplicationProtocol;
+import software.amazon.smithy.typescript.codegen.LanguageTarget;
+import software.amazon.smithy.typescript.codegen.TypeScriptDependency;
+import software.amazon.smithy.typescript.codegen.TypeScriptSettings;
+import software.amazon.smithy.typescript.codegen.TypeScriptWriter;
+import software.amazon.smithy.typescript.codegen.auth.http.ConfigField;
+import software.amazon.smithy.typescript.codegen.auth.http.HttpAuthOptionProperty;
+import software.amazon.smithy.typescript.codegen.auth.http.HttpAuthScheme;
+import software.amazon.smithy.typescript.codegen.auth.http.HttpAuthSchemeParameter;
+import software.amazon.smithy.typescript.codegen.auth.http.integration.HttpAuthTypeScriptIntegration;
+import software.amazon.smithy.utils.SmithyInternalApi;
+
+@SmithyInternalApi
+public final class SupportWeatherSigV4Auth implements HttpAuthTypeScriptIntegration {
+    static final Symbol AWS_CREDENTIAL_IDENTITY = Symbol.builder()
+        .name("AwsCredentialIdentity")
+        .namespace(TypeScriptDependency.SMITHY_TYPES.getPackageName(), "/")
+        .addDependency(TypeScriptDependency.SMITHY_TYPES)
+        .build();
+    static final Symbol AWS_CREDENTIAL_IDENTITY_PROVIDER = Symbol.builder()
+        .name("AwsCredentialIdentityProvider")
+        .namespace(TypeScriptDependency.SMITHY_TYPES.getPackageName(), "/")
+        .addDependency(TypeScriptDependency.SMITHY_TYPES)
+        .build();
+    static final ConfigField CREDENTIALS_CONFIG_FIELD = ConfigField.builder()
+        .name("credentials")
+        .type(ConfigField.Type.MAIN)
+        .docs(w -> w.write("The credentials used to sign requests."))
+        .inputType(Symbol.builder()
+            .name("AwsCredentialIdentity | AwsCredentialIdentityProvider")
+            .addReference(AWS_CREDENTIAL_IDENTITY)
+            .addReference(AWS_CREDENTIAL_IDENTITY_PROVIDER)
+            .build())
+        .resolvedType(Symbol.builder()
+            .name("AwsCredentialIdentityProvider")
+            .addReference(AWS_CREDENTIAL_IDENTITY)
+            .addReference(AWS_CREDENTIAL_IDENTITY_PROVIDER)
+            .build())
+        .configFieldWriter(ConfigField::defaultMainConfigFieldWriter)
+        .build();
+    private static final Consumer<TypeScriptWriter> AWS_SIGV4_AUTH_SIGNER = w -> {
+        w.addDependency(TypeScriptDependency.EXPERIMENTAL_IDENTITY_AND_AUTH);
+        w.addImport("SigV4Signer", null, TypeScriptDependency.EXPERIMENTAL_IDENTITY_AND_AUTH);
+        w.write("new SigV4Signer()");
+    };
+    private static final SymbolReference PROVIDER = SymbolReference.builder()
+        .symbol(Symbol.builder()
+            .name("Provider")
+            .namespace(TypeScriptDependency.SMITHY_TYPES.getPackageName(), "/")
+            .addDependency(TypeScriptDependency.SMITHY_TYPES)
+            .build())
+        .alias("__Provider")
+        .build();
+
+    @Override
+    public boolean matchesSettings(TypeScriptSettings settings) {
+        return !settings.useLegacyAuth();
+    }
+
+    @Override
+    public Optional<HttpAuthScheme> getHttpAuthScheme() {
+        return Optional.of(HttpAuthScheme.builder()
+                .schemeId(ShapeId.from("aws.auth#sigv4"))
+                .applicationProtocol(ApplicationProtocol.createDefaultHttpApplicationProtocol())
+                .putDefaultSigner(LanguageTarget.SHARED, AWS_SIGV4_AUTH_SIGNER)
+                .addConfigField(CREDENTIALS_CONFIG_FIELD)
+                .addConfigField(ConfigField.builder()
+                    .name("region")
+                    .type(ConfigField.Type.AUXILIARY)
+                    .docs(w -> w.write("The AWS region to which this client will send requests."))
+                    .inputType(Symbol.builder()
+                        .name("string | __Provider<string>")
+                        .addReference(PROVIDER)
+                        .build())
+                    .resolvedType(Symbol.builder()
+                        .name("__Provider<string>")
+                        .addReference(PROVIDER)
+                        .build())
+                    .configFieldWriter(ConfigField::defaultAuxiliaryConfigFieldWriter)
+                    .build())
+                .addHttpAuthSchemeParameter(HttpAuthSchemeParameter.builder()
+                    .name("region")
+                    .type(w -> w.write("string"))
+                    .source(w -> {
+                        w.addDependency(TypeScriptDependency.UTIL_MIDDLEWARE);
+                        w.addImport("normalizeProvider", null, TypeScriptDependency.UTIL_MIDDLEWARE);
+                        w.openBlock("await normalizeProvider(config.region)() || (() => {", "})()", () -> {
+                            w.write("throw new Error(\"expected `region` to be configured for `aws.auth#sigv4`\");");
+                        });
+                    })
+                    .build())
+                .addHttpAuthOptionProperty(HttpAuthOptionProperty.builder()
+                    .name("name")
+                    .type(HttpAuthOptionProperty.Type.SIGNING)
+                    .source(s -> w -> {
+                        w.write("$S", s.trait().toNode().expectObjectNode().getMember("name"));
+                    })
+                    .build())
+                .addHttpAuthOptionProperty(HttpAuthOptionProperty.builder()
+                    .name("region")
+                    .type(HttpAuthOptionProperty.Type.SIGNING)
+                    .source(t -> w -> {
+                        w.write("authParameters.region");
+                    })
+                    .build())
+                .propertiesExtractor(s -> w -> w
+                    .write("""
+                        (config, context) => {
+                          return {
+                            /**
+                             * @internal
+                             */
+                            signingProperties: {
+                              ...config,
+                              ...context,
+                            },
+                          };
+                        },"""))
+                .build());
+    }
+}

smithy-typescript-codegen-test/example-weather-customizations/src/main/resources/META-INF/services/software.amazon.smithy.typescript.codegen.integration.TypeScriptIntegration

@@ -1 +1,2 @@
 example.weather.ExampleWeatherCustomEndpointsRuntimeConfig
+example.weather.SupportWeatherSigV4Auth

smithy-typescript-codegen-test/model/weather/main.smithy

@@ -34,7 +34,7 @@ service Weather {
         GetCurrentTime
         // util-stream.integ.spec.ts
         Invoke
-        // experimentalIdentityAndAuth
+        // Identity and Auth
         OnlyHttpApiKeyAuth
         OnlyHttpApiKeyAuthOptional
         OnlyHttpBearerAuth

smithy-typescript-codegen-test/smithy-build.json

@@ -29,7 +29,7 @@
                 }
             }
         },
-        "client-experimental-identity-and-auth": {
+        "client-identity-and-auth": {
             "transforms": [
                 {
                     "name": "includeServices",
@@ -41,17 +41,16 @@
             "plugins": {
                 "typescript-client-codegen": {
                     "service": "example.weather#Weather",
-                    "package": "@smithy/weather-experimental-identity-and-auth",
+                    "package": "weather",
                     "packageVersion": "0.0.1",
                     "packageJson": {
                         "license": "Apache-2.0",
                         "private": true
-                    },
-                    "experimentalIdentityAndAuth": true
+                    }
                 }
             }
         },
-        "control-experimental-identity-and-auth": {
+        "client-legacy-auth": {
             "transforms": [
                 {
                     "name": "includeServices",
@@ -63,12 +62,13 @@
             "plugins": {
                 "typescript-client-codegen": {
                     "service": "example.weather#Weather",
-                    "package": "weather",
+                    "package": "@smithy/weather-legacy-auth",
                     "packageVersion": "0.0.1",
                     "packageJson": {
                         "license": "Apache-2.0",
                         "private": true
-                    }
+                    },
+                    "useLegacyAuth": true
                 }
             }
         },
@@ -89,8 +89,7 @@
                     "packageJson": {
                         "license": "Apache-2.0",
                         "private": true
-                    },
-                    "experimentalIdentityAndAuth": true
+                    }
                 }
             }
         },
@@ -111,8 +110,7 @@
                     "packageJson": {
                         "license": "Apache-2.0",
                         "private": true
-                    },
-                    "experimentalIdentityAndAuth": true
+                    }
                 }
             }
         }

smithy-typescript-codegen/src/main/java/software/amazon/smithy/typescript/codegen/DirectedTypeScriptCodegen.java

@@ -241,9 +241,7 @@ private void generateClient(GenerateServiceDirective<TypeScriptCodegenContext, T
         delegator.useShapeWriter(service, writer -> new ServiceBareBonesClientGenerator(
                 settings, model, symbolProvider, writer, integrations, runtimePlugins, applicationProtocol).run());
 
-        if (directive.settings().getExperimentalIdentityAndAuth()) {
-            // feat(experimentalIdentityAndAuth): allow configuring custom HttpAuthSchemeProviderGenerator
-            LOGGER.fine("experimentalIdentityAndAuth: Generating auth scheme resolver");
+        if (!directive.settings().useLegacyAuth()) {
             new HttpAuthSchemeProviderGenerator(
                 delegator,
                 settings,

smithy-typescript-codegen/src/main/java/software/amazon/smithy/typescript/codegen/RuntimeConfigGenerator.java

@@ -195,10 +195,9 @@ void generate(LanguageTarget target) {
                         integration.getRuntimeConfigWriters(settings, model, symbolProvider, target)
                     );
                 }
-                // feat(experimentalIdentityAndAuth): add config writers for httpAuthScheme and httpAuthSchemes
                 // Needs a separate integration point since not all the information is accessible in
                 // {@link TypeScriptIntegration#getRuntimeConfigWriters()}
-                if (applicationProtocol.isHttpProtocol() && settings.getExperimentalIdentityAndAuth()) {
+                if (applicationProtocol.isHttpProtocol() && !settings.useLegacyAuth()) {
                     generateHttpAuthSchemeConfig(configs, writer, target);
                 }
                 int indentation = target.equals(LanguageTarget.SHARED) ? 1 : 2;
@@ -229,7 +228,6 @@ private void generateHttpAuthSchemeConfig(
     ) {
         SupportedHttpAuthSchemesIndex authIndex = new SupportedHttpAuthSchemesIndex(integrations, model, settings);
 
-        // feat(experimentalIdentityAndAuth): write the default imported HttpAuthSchemeProvider
         if (target.equals(LanguageTarget.SHARED)) {
             configs.put("httpAuthSchemeProvider", w -> {
                 w.write("$T", Symbol.builder()
@@ -241,7 +239,6 @@ private void generateHttpAuthSchemeConfig(
             });
         }
 
-        // feat(experimentalIdentityAndAuth): gather HttpAuthSchemes to generate
         ServiceIndex serviceIndex = ServiceIndex.of(model);
         TopDownIndex topDownIndex = TopDownIndex.of(model);
         Map<ShapeId, HttpAuthScheme> allEffectiveHttpAuthSchemes =
@@ -268,7 +265,6 @@ private void generateHttpAuthSchemeConfig(
             return;
         }
 
-        // feat(experimentalIdentityAndAuth): write the default httpAuthSchemes
         configs.put("httpAuthSchemes", w -> {
             w.addDependency(TypeScriptDependency.SMITHY_TYPES);
             w.addImport("IdentityProviderConfig", null, TypeScriptDependency.SMITHY_TYPES);

smithy-typescript-codegen/src/main/java/software/amazon/smithy/typescript/codegen/TypeScriptDependency.java

@@ -124,7 +124,6 @@ public enum TypeScriptDependency implements Dependency {
     // Conditionally added when @aws.auth#sigv4 is used
     SIGNATURE_V4("dependencies", "@smithy/signature-v4", false),
 
-    // feat(experimentalIdentityAndAuth): Conditionally added dependencies for `experimentalIdentityAndAuth`.
     // This package should never have a major version, and should only use minor and patch versions in development.
     // Exports are located between @smithy/types and @smithy/core
     @Deprecated EXPERIMENTAL_IDENTITY_AND_AUTH("dependencies", "@smithy/experimental-identity-and-auth", false),