feat: integrate proxy support for REST/gRPC/OIDC and add new OIDC authentication grant

[fer-marino]

This PR introduces comprehensive proxy support for both REST and gRPC communications, as well as for OIDC authentication.

Changes

Features

• Proxy Support: Introduced a new Proxy record to hold proxy configuration (host, port, scheme, and optional credentials).
• Global Configuration: Added a proxy(Proxy) method to the Config builder, allowing users to configure a proxy globally for all client operations.
• New Authentication Method: Added resourceOwnerPasswordCredentials to the Authentication interface, supporting the Resource Owner Password Credentials authorization grant.
• REST Transport Integration: Updated DefaultRestTransport to use the configured proxy with Apache HttpClient 5.
• gRPC Transport Integration: Added proxy support for gRPC communication in DefaultGrpcTransport.
• OIDC Proxy Support: Integrated proxy support into NimbusTokenProvider and OidcUtils, ensuring that OIDC metadata and token requests (fetching and refreshing) correctly respect the proxy settings.

Refactoring

• Improved OIDC Metadata Handling: Refactored OIDC metadata fetching to be more robust and better integrated with the transport layer.

Testing

• New Unit Tests: Added ProxyTest and updated AuthenticationTest to verify proxy integration for both REST requests and OIDC authentication flows (including Resource Owner Password grant).

Verification

• Ran existing and new unit tests to confirm that proxy settings are correctly passed to the underlying transports.
• Verified that OIDC token fetching works through a proxy by mocking the OIDC server responses.
• Confirmed that gRPC communication respects the proxy configuration.

[orca-security-eu]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	SAST	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca

[weaviate-git-bot]

To avoid any confusion in the future about your contribution to Weaviate, we work with a Contributor License Agreement. If you agree, you can simply add a comment to this PR that you agree with the CLA so that we can merge.

beep boop - the Weaviate bot 👋🤖

PS:
Are you already a member of the Weaviate Forum?

[bevzzz]

Nice addition, thank you @fer-marino

[orca-security-eu]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Warning	SAST	1   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca

🛡️ The following SAST misconfigurations have been detected

	NAME	FILE
	Prevent Server-Side Request Forgery (SSRF) via User Input in URLs	...ltGrpcTransport.java	View in code

Note: The scan should have failed if no policies were configured in warn-only mode.

[fer-marino]

oh sorry. I've added a lot more stuff. Using an http proxy proved much more difficult than I thought, so here is the implementation. I've also added an extra method for the OIDC authentication to use resourceOwnerPassword providing also a client secret id (needed if anon login is disabled)

[bevzzz]

@fer-marino it's been a busy week, but I'm going to get back to this PR first thing Monday. Appreciate you taking time to contribute!

Using an http proxy proved much more difficult than I thought

Could you please elaborate on the difficulties you ran into with configuring http proxy via system properties? I guess one limitation of that approach would be that it doesn't allow using a different proxy per client. Was there something else you encountered?

[bevzzz]

I suggest focusing this PR on adding proxy support and introduce ROPC authentication in a separate PR.

[fer-marino]

hi, I've implemented most of your suggestions.

About my difficulties in implementing the proxy, is the different http libraries used by the different interfaces. My initial solution worked only for the rest transport, leaving out gRPC and OIDC authentication.

[bevzzz]

Thanks! Could you please rebase your branch on the latest main -- I've just merged a PR that should skip OIDC Client Credentials test if the secret is not available in the CI environment (which it isn't for outside contributions). All tests should be passing again then.

[bevzzz]

This is shaping up really well. Here are a couple more things I noticed.

Is there any simple test we could write for the HTTP / gRPC proxy configs? We're already using MockServer for some tests, can we extend the test suite to also verify request are being proxied correctly? e.g. using MockServer's proxying utility

[bevzzz]

My initial solution worked only for the rest transport, leaving out gRPC and OIDC authentication.

Makes sense, yes. Thanks a lot for taking these two aspects into consideration.

[fer-marino]

added some more test units, including one for the proxy. I've also modified the pom, as in my setup the lombok annotation processor was not getting invoked during unit tests execution.

[bevzzz]

added some more test units, including one for the proxy

Thank you 👍

[fer-marino]

pushed another commit with your suggestions

[bevzzz]

@fer-marino please update your branch to the latest main state, there're some changes that should fix the failing tests in the pipeline.

+3 pending comments ⬆️

[fer-marino]

rebased

[bevzzz]

@fer-marino looks like the commit hashes got changed in the rebase and the history/diff in this PR now includes changes already present in the main branch. Could you please squash your changes in to a single commit and force-push the branch?

Something like:

git reset --soft origin/main
git commit -m "feat: add proxy support and ROPC authorization grant"
git push --force-with-lease

It'll make it easier for me to wrap up the review.

[fer-marino]

hi, have a look now

[bevzzz]

hey @fer-marino! There's one unit test that's prone to deadlocks (it's causing the pipeline in this PR to hang rn), which was fixed in the #549. That PR just got merged to main -- could you please update your branch again?

[bevzzz]

@fer-marino the commit hashes got changed after your latest rebase and the history/diff in this PR now includes changes already present in the main branch. Could you please squash your changes in to a single commit and force-push the branch?

Something like:

git reset --soft origin/main
git commit -m "feat: add proxy support and ROPC authorization grant"
git push --force-with-lease

It'll make it easier for me to wrap up the review.

---

Alternatively, you can always merge the main branch into your feature branch instead of rebasing them -- this should keep the original hashes intact and the diff focused.

[bevzzz]

Some unit tests are failing seemingly after the merge, I'll fix them to unblock the PR.

[bevzzz]

Congratulations on your first PR, @fer-marino!