From ab46e58db25bfe467bc115b9fdde19818276d93d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Thu, 9 Jan 2025 15:46:12 +0100
Subject: [PATCH 01/17] PoC pt 1

---
 .../Snowflake/0.0.0-dev/src/OAuth_Test.enso   | 28 ++++++++++++++++
 .../org/enso/snowflake/OAuthCallback.java     | 32 +++++++++++++++++++
 test-snowflake-oauth.enso                     |  8 +++++
 3 files changed, 68 insertions(+)
 create mode 100644 distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
 create mode 100644 std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
 create mode 100644 test-snowflake-oauth.enso

diff --git a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
new file mode 100644
index 000000000000..8f870bbb947a
--- /dev/null
+++ b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
@@ -0,0 +1,28 @@
+from Standard.Base import all
+
+import project.Connection.Snowflake_Details.Snowflake_Details
+
+polyglot java import org.enso.snowflake.OAuthCallback
+
+initiate_oauth -> Snowflake_Details =
+    Error.throw "TODO"
+
+perform_oauth account:Text role:Text =
+    uri = create_oauth_uri account role refresh_token=False
+    IO.println "Please open "+uri.to_text+" in your browser and follow the instructions."
+    # Wait for callback.
+    result = OAuthCallback.waitForCallback
+    IO.println "Got callback: "+result.to_text
+
+create_oauth_uri account:Text role:Text refresh_token:Boolean -> URI =
+    # TODO add code_challenge for PKCE
+    # TODO check that account does not contain any unexpected characters
+    base_uri = URI.from "https://"+account+".snowflakecomputing.com/oauth/authorize"
+    scope = (if refresh_token then "refresh_token " else "")+"session:role:"+role
+    base_uri
+        . add_query_argument "response_type" "code"
+        . add_query_argument "client_id" client_id
+        . add_query_argument "redirect_uri" "http://localhost:51234/snowflake"
+        . add_query_argument "scope" scope
+
+client_id = "hBjdrf6WyFIyLMMt9Ojbk0c8eto="
diff --git a/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java b/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
new file mode 100644
index 000000000000..e203781e4bc2
--- /dev/null
+++ b/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
@@ -0,0 +1,32 @@
+package org.enso.snowflake;
+
+import com.sun.net.httpserver.HttpServer;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+
+public final class OAuthCallback {
+  private OAuthCallback() {}
+
+  public static CallbackServer waitForCallback(int port) throws IOException {
+    var callbackServer = new CallbackServerImplementation(port);
+    callbackServer.start();
+  }
+
+  public interface CallbackServer extends AutoCloseable {
+    String waitForCallback();
+  }
+
+  private static final class CallbackServerImplementation implements CallbackServer {
+    private final HttpServer server;
+
+    private CallbackServerImplementation(int port) throws IOException {
+      InetSocketAddress address = new InetSocketAddress("localhost", port);
+      server = HttpServer.create(address, 0);
+    }
+
+    private void start() {
+      server.start();
+    }
+  }
+}
diff --git a/test-snowflake-oauth.enso b/test-snowflake-oauth.enso
new file mode 100644
index 000000000000..1225989a773b
--- /dev/null
+++ b/test-snowflake-oauth.enso
@@ -0,0 +1,8 @@
+from Standard.Base import all
+
+import Standard.Snowflake.OAuth_Test
+
+main =
+    account = "PUSMBUI-DP01445"
+    OAuth_Test.perform_oauth account role="CI"
+

From 0fc1480a92924d6095c5f94844421266172f1f46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Thu, 9 Jan 2025 16:23:30 +0100
Subject: [PATCH 02/17] server

---
 build.sbt                                     |  3 +-
 .../Snowflake/0.0.0-dev/src/OAuth_Test.enso   | 13 +++--
 .../org/enso/snowflake/OAuthCallback.java     | 50 ++++++++++++++++++-
 3 files changed, 60 insertions(+), 6 deletions(-)

diff --git a/build.sbt b/build.sbt
index 814e197d7fc7..acfd3e548f41 100644
--- a/build.sbt
+++ b/build.sbt
@@ -4890,7 +4890,8 @@ lazy val `std-snowflake` = project
       `std-snowflake-polyglot-root` / "std-snowflake.jar",
     libraryDependencies ++= Seq(
       "org.netbeans.api" % "org-openide-util-lookup" % netbeansApiVersion % "provided",
-      "net.snowflake"    % "snowflake-jdbc"          % snowflakeJDBCVersion
+      "net.snowflake"    % "snowflake-jdbc"          % snowflakeJDBCVersion,
+      "com.sun.net.httpserver" % "http" % "20070405"
     ),
     Compile / packageBin := Def.task {
       val result = (Compile / packageBin).value
diff --git a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
index 8f870bbb947a..b52e6b8084cc 100644
--- a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
+++ b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
@@ -1,4 +1,5 @@
 from Standard.Base import all
+import Standard.Base.Runtime.Managed_Resource.Managed_Resource
 
 import project.Connection.Snowflake_Details.Snowflake_Details
 
@@ -9,10 +10,14 @@ initiate_oauth -> Snowflake_Details =
 
 perform_oauth account:Text role:Text =
     uri = create_oauth_uri account role refresh_token=False
-    IO.println "Please open "+uri.to_text+" in your browser and follow the instructions."
-    # Wait for callback.
-    result = OAuthCallback.waitForCallback
-    IO.println "Got callback: "+result.to_text
+    print_panic caugh_panic =
+        IO.println "Panic caught: "+caugh_panic.payload.to_text
+    Panic.catch Any handler=print_panic <|
+        result = Managed_Resource.bracket (OAuthCallback.createCallbackServer 51234) (.close) server->
+            # We start the server first to ensure we can 'reserve' the port before opening the browser
+            IO.println "Please open "+uri.to_text+" in your browser and follow the instructions."
+            server.waitForCallback
+        IO.println "Got callback: "+result.to_text
 
 create_oauth_uri account:Text role:Text refresh_token:Boolean -> URI =
     # TODO add code_challenge for PKCE
diff --git a/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java b/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
index e203781e4bc2..2d0a00eb3161 100644
--- a/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
+++ b/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
@@ -4,13 +4,16 @@
 
 import java.io.IOException;
 import java.net.InetSocketAddress;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
 
 public final class OAuthCallback {
   private OAuthCallback() {}
 
-  public static CallbackServer waitForCallback(int port) throws IOException {
+  public static CallbackServer createCallbackServer(int port) throws IOException {
     var callbackServer = new CallbackServerImplementation(port);
     callbackServer.start();
+    return callbackServer;
   }
 
   public interface CallbackServer extends AutoCloseable {
@@ -19,14 +22,59 @@ public interface CallbackServer extends AutoCloseable {
 
   private static final class CallbackServerImplementation implements CallbackServer {
     private final HttpServer server;
+    private final CompletableFuture<String> callbackResult = new CompletableFuture<>();
 
     private CallbackServerImplementation(int port) throws IOException {
       InetSocketAddress address = new InetSocketAddress("localhost", port);
       server = HttpServer.create(address, 0);
+      server.createContext("snowflake", exchange -> {
+        var query = exchange.getRequestURI().getQuery();
+        byte[] response = OK_RESPONSE.getBytes();
+        exchange.sendResponseHeaders(200, response.length);
+        exchange.getResponseBody().write(response);
+        exchange.close();
+        callbackResult.complete(query);
+      });
     }
 
     private void start() {
       server.start();
     }
+
+    @Override
+    public String waitForCallback() {
+      try {
+        return callbackResult.get();
+      } catch (InterruptedException | ExecutionException e) {
+        throw new RuntimeException(e);
+      }
+    }
+
+    @Override
+    public void close() throws Exception {
+      server.stop(1);
+    }
+
+    private static final String OK_RESPONSE =
+        """
+        <html>
+          <head>
+            <title>Enso - Snowflake integration</title>
+            <style>
+            body {
+              display: flex;
+              justify-content: center;
+              align-items: center;
+              height: 100vh;
+              margin: 0;
+            }
+            </style>
+          </head>
+          <body>
+            <h1>Enso - Snowflake integration</h1>
+            <p>OAuth callback received. You can close this window now and go back to the application.</p>
+          </body>
+        </html>
+        """;
   }
 }

From 9dbbfe131860f180d58cea2290983ecb43e64482 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Thu, 9 Jan 2025 20:27:04 +0100
Subject: [PATCH 03/17] followup

---
 build.sbt                                     |  3 +-
 .../Base/0.0.0-dev/src/Network/HTTP.enso      |  1 +
 .../Snowflake/0.0.0-dev/src/OAuth_Test.enso   | 38 ++++++++++++++++---
 .../org/enso/snowflake/OAuthCallback.java     | 22 +++++++++--
 4 files changed, 53 insertions(+), 11 deletions(-)

diff --git a/build.sbt b/build.sbt
index acfd3e548f41..814e197d7fc7 100644
--- a/build.sbt
+++ b/build.sbt
@@ -4890,8 +4890,7 @@ lazy val `std-snowflake` = project
       `std-snowflake-polyglot-root` / "std-snowflake.jar",
     libraryDependencies ++= Seq(
       "org.netbeans.api" % "org-openide-util-lookup" % netbeansApiVersion % "provided",
-      "net.snowflake"    % "snowflake-jdbc"          % snowflakeJDBCVersion,
-      "com.sun.net.httpserver" % "http" % "20070405"
+      "net.snowflake"    % "snowflake-jdbc"          % snowflakeJDBCVersion
     ),
     Compile / packageBin := Def.task {
       val result = (Compile / packageBin).value
diff --git a/distribution/lib/Standard/Base/0.0.0-dev/src/Network/HTTP.enso b/distribution/lib/Standard/Base/0.0.0-dev/src/Network/HTTP.enso
index bee4ce27cc8b..3a597abc8c9a 100644
--- a/distribution/lib/Standard/Base/0.0.0-dev/src/Network/HTTP.enso
+++ b/distribution/lib/Standard/Base/0.0.0-dev/src/Network/HTTP.enso
@@ -154,6 +154,7 @@ type HTTP
 
         handle_request_error <| Illegal_Argument.handle_java_exception <| check_output_context <| check_cache_policy <| Response_Too_Large.handle_java_exception <|
             headers = _resolve_headers req
+            Standard.Base.IO.println headers
             headers.if_not_error <|
                 resolved_body = _resolve_body req.body self.hash_method
                 resolved_body.if_not_error <|
diff --git a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
index b52e6b8084cc..4888753730a6 100644
--- a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
+++ b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
@@ -1,4 +1,6 @@
 from Standard.Base import all
+import Standard.Base.Data.Base_64.Base_64
+import Standard.Base.Network.HTTP.Request_Body.Request_Body
 import Standard.Base.Runtime.Managed_Resource.Managed_Resource
 
 import project.Connection.Snowflake_Details.Snowflake_Details
@@ -10,14 +12,23 @@ initiate_oauth -> Snowflake_Details =
 
 perform_oauth account:Text role:Text =
     uri = create_oauth_uri account role refresh_token=False
-    print_panic caugh_panic =
-        IO.println "Panic caught: "+caugh_panic.payload.to_text
+    print_panic caught_panic =
+        IO.println "Panic caught: "+caught_panic.payload.to_text
+        IO.println caught_panic.convert_to_dataflow_error.get_stack_trace_text
     Panic.catch Any handler=print_panic <|
         result = Managed_Resource.bracket (OAuthCallback.createCallbackServer 51234) (.close) server->
             # We start the server first to ensure we can 'reserve' the port before opening the browser
             IO.println "Please open "+uri.to_text+" in your browser and follow the instructions."
             server.waitForCallback
-        IO.println "Got callback: "+result.to_text
+        code_prefix = "code="
+        code = result
+            . split "&"
+            . find (e-> e.starts_with code_prefix)
+            . drop code_prefix.length
+        access_token = exchange_code_for_access_token account code
+        IO.println access_token
+
+
 
 create_oauth_uri account:Text role:Text refresh_token:Boolean -> URI =
     # TODO add code_challenge for PKCE
@@ -27,7 +38,24 @@ create_oauth_uri account:Text role:Text refresh_token:Boolean -> URI =
     base_uri
         . add_query_argument "response_type" "code"
         . add_query_argument "client_id" client_id
-        . add_query_argument "redirect_uri" "http://localhost:51234/snowflake"
+        . add_query_argument "redirect_uri" redirect_uri
         . add_query_argument "scope" scope
+        . add_query_argument "state" "foobar"
+
+type Access_Token
+    Value token:Text expiry:Date_Time
+
+exchange_code_for_access_token account:Text code:Text -> Access_Token =
+    now = Date_Time.now
+    uri = URI.from "https://"+account+".snowflakecomputing.com/oauth/token-request"
+    params = Dictionary.from_vector [["grant_type", "authorization_code"], ["code", code], ["redirect_uri", redirect_uri]]
+    request_body = Request_Body.Form_Data params url_encoded=True
+    headers = [Header.authorization_basic client_id client_secret]
+    response = Data.post uri body=request_body headers=headers response_format=JSON_Format
+    IO.println response
+    Access_Token.Value (response.get "access_token") (now + Duration.new seconds=(response.get "expires_in"))
+
 
-client_id = "hBjdrf6WyFIyLMMt9Ojbk0c8eto="
+client_id = Environment.get "SNOWFLAKE_APP_CLIENT_ID"
+client_secret = Environment.get "SNOWFLAKE_APP_CLIENT_SECRET"
+redirect_uri = "http://localhost:51234/snowflake"
diff --git a/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java b/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
index 2d0a00eb3161..061d04fbbf92 100644
--- a/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
+++ b/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
@@ -11,9 +11,14 @@ public final class OAuthCallback {
   private OAuthCallback() {}
 
   public static CallbackServer createCallbackServer(int port) throws IOException {
-    var callbackServer = new CallbackServerImplementation(port);
-    callbackServer.start();
-    return callbackServer;
+    try {
+      var callbackServer = new CallbackServerImplementation(port);
+      callbackServer.start();
+      return callbackServer;
+    } catch (Exception e) {
+      e.printStackTrace();
+      throw e;
+    }
   }
 
   public interface CallbackServer extends AutoCloseable {
@@ -27,8 +32,15 @@ private static final class CallbackServerImplementation implements CallbackServe
     private CallbackServerImplementation(int port) throws IOException {
       InetSocketAddress address = new InetSocketAddress("localhost", port);
       server = HttpServer.create(address, 0);
-      server.createContext("snowflake", exchange -> {
+      server.createContext("/snowflake", exchange -> {
         var query = exchange.getRequestURI().getQuery();
+//        System.out.println("method = " + exchange.getRequestMethod());
+//        System.out.println("query = " + query);
+//        System.out.println("headers = " + exchange.getRequestHeaders());
+//        byte[] body = exchange.getRequestBody().readAllBytes();
+//        System.out.println("body = " + new String(body));
+
+
         byte[] response = OK_RESPONSE.getBytes();
         exchange.sendResponseHeaders(200, response.length);
         exchange.getResponseBody().write(response);
@@ -63,6 +75,7 @@ public void close() throws Exception {
             <style>
             body {
               display: flex;
+              flex-direction: column;
               justify-content: center;
               align-items: center;
               height: 100vh;
@@ -72,6 +85,7 @@ public void close() throws Exception {
           </head>
           <body>
             <h1>Enso - Snowflake integration</h1>
+            <br>
             <p>OAuth callback received. You can close this window now and go back to the application.</p>
           </body>
         </html>

From d086e47e1fb35aec6cc8df4a0b4795ca39341547 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Fri, 10 Jan 2025 13:01:43 +0100
Subject: [PATCH 04/17] full OAuth flow to connect to Snowflake - v1

---
 .../src/Connection/Snowflake_Details.enso     | 11 ++++-
 .../Snowflake/0.0.0-dev/src/OAuth_Test.enso   | 40 +++++++++----------
 test-snowflake-oauth.enso                     | 10 ++++-
 3 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/Connection/Snowflake_Details.enso b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/Connection/Snowflake_Details.enso
index 74bd9767ee1f..772d910e7fad 100644
--- a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/Connection/Snowflake_Details.enso
+++ b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/Connection/Snowflake_Details.enso
@@ -10,6 +10,7 @@ import Standard.Database.Connection.Credentials.Credentials
 import Standard.Database.Internal.Data_Link_Setup.Data_Link_Setup
 
 import project.Snowflake_Connection.Snowflake_Connection
+import project.OAuth_Test.Access_Token
 
 polyglot java import net.snowflake.client.jdbc.SnowflakeDriver
 
@@ -24,7 +25,7 @@ type Snowflake_Details
        - warehouse: The name of the warehouse to use.
     @account (Text_Input display=..Always)
     @credentials Credentials.default_widget
-    Snowflake (account:Text=(Missing_Argument.throw "account")) (credentials:Credentials=(Missing_Argument.throw "credentials")) database:Text="SNOWFLAKE" schema:Text="PUBLIC" warehouse:Text=""
+    Snowflake (account:Text=(Missing_Argument.throw "account")) (credentials:Credentials|Access_Token=(Missing_Argument.throw "credentials")) database:Text="SNOWFLAKE" schema:Text="PUBLIC" warehouse:Text=""
 
     ## PRIVATE
        Attempt to resolve the constructor.
@@ -64,7 +65,13 @@ type Snowflake_Details
         ## should be prepended to properties. That would make it fallback to plain `json`.
 
         account = [Pair.new 'account' self.account]
-        credentials = [Pair.new 'user' self.credentials.username, Pair.new 'password' self.credentials.password]
+        credentials = case self.credentials of
+            _ : Credentials ->
+                [Pair.new 'user' self.credentials.username, Pair.new 'password' self.credentials.password]
+            token : Access_Token ->
+                if Date_Time.now > token.expiry then
+                    Error.throw (Illegal_State.Error "Access token has expired on "+token.expiry.to_display_text)
+                [Pair.new 'authenticator' 'oauth', Pair.new 'user' token.username, Pair.new 'token' token.token]
         database = [Pair.new 'db' self.database]
         schema = [Pair.new 'schema' self.schema]
         warehouse = if self.warehouse=="" then [] else [Pair.new 'warehouse' self.warehouse]
diff --git a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
index 4888753730a6..bf4d2350ed17 100644
--- a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
+++ b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
@@ -10,25 +10,18 @@ polyglot java import org.enso.snowflake.OAuthCallback
 initiate_oauth -> Snowflake_Details =
     Error.throw "TODO"
 
-perform_oauth account:Text role:Text =
+perform_one_time_oauth account:Text role:Text =
     uri = create_oauth_uri account role refresh_token=False
-    print_panic caught_panic =
-        IO.println "Panic caught: "+caught_panic.payload.to_text
-        IO.println caught_panic.convert_to_dataflow_error.get_stack_trace_text
-    Panic.catch Any handler=print_panic <|
-        result = Managed_Resource.bracket (OAuthCallback.createCallbackServer 51234) (.close) server->
-            # We start the server first to ensure we can 'reserve' the port before opening the browser
-            IO.println "Please open "+uri.to_text+" in your browser and follow the instructions."
-            server.waitForCallback
-        code_prefix = "code="
-        code = result
-            . split "&"
-            . find (e-> e.starts_with code_prefix)
-            . drop code_prefix.length
-        access_token = exchange_code_for_access_token account code
-        IO.println access_token
-
-
+    result = Managed_Resource.bracket (OAuthCallback.createCallbackServer 51234) (.close) server->
+        # We start the server first to ensure we can 'reserve' the port before opening the browser
+        IO.println "Please open "+uri.to_text+" in your browser and follow the instructions."
+        server.waitForCallback
+    code_prefix = "code="
+    code = result
+        . split "&"
+        . find (e-> e.starts_with code_prefix)
+        . drop code_prefix.length
+    exchange_code_for_access_token account code
 
 create_oauth_uri account:Text role:Text refresh_token:Boolean -> URI =
     # TODO add code_challenge for PKCE
@@ -43,7 +36,13 @@ create_oauth_uri account:Text role:Text refresh_token:Boolean -> URI =
         . add_query_argument "state" "foobar"
 
 type Access_Token
-    Value token:Text expiry:Date_Time
+    Value username:Text token:Text expiry:Date_Time
+
+    to_text self -> Text =
+        "Access_Token.Value "+self.username.pretty+" *** "+self.expiry.to_text
+
+    to_display_text self -> Text =
+        "Snowflake Access Token for "+self.username+" (expires at "+self.expiry.to_display_text+")"
 
 exchange_code_for_access_token account:Text code:Text -> Access_Token =
     now = Date_Time.now
@@ -52,8 +51,7 @@ exchange_code_for_access_token account:Text code:Text -> Access_Token =
     request_body = Request_Body.Form_Data params url_encoded=True
     headers = [Header.authorization_basic client_id client_secret]
     response = Data.post uri body=request_body headers=headers response_format=JSON_Format
-    IO.println response
-    Access_Token.Value (response.get "access_token") (now + Duration.new seconds=(response.get "expires_in"))
+    Access_Token.Value (response.get "username") (response.get "access_token") (now + Duration.new seconds=(response.get "expires_in"))
 
 
 client_id = Environment.get "SNOWFLAKE_APP_CLIENT_ID"
diff --git a/test-snowflake-oauth.enso b/test-snowflake-oauth.enso
index 1225989a773b..b3cca2a1d910 100644
--- a/test-snowflake-oauth.enso
+++ b/test-snowflake-oauth.enso
@@ -1,8 +1,14 @@
 from Standard.Base import all
 
+from Standard.Database import all
+
+from Standard.Snowflake import all
 import Standard.Snowflake.OAuth_Test
 
 main =
     account = "PUSMBUI-DP01445"
-    OAuth_Test.perform_oauth account role="CI"
-
+    token = OAuth_Test.perform_one_time_oauth account role="CI"
+    connection = Database.connect (Snowflake_Details.Snowflake account=account credentials=token)
+    IO.println connection
+    connection.tables.print
+    connection.query (..Raw_SQL "SELECT 1+2, 3*4") . print

From 148549c7c51e4469ce70a149bf04cff6666e66aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Fri, 10 Jan 2025 17:27:58 +0100
Subject: [PATCH 05/17] full OAuth flow with refresh token

---
 .../Base/0.0.0-dev/src/Network/HTTP.enso      |  1 -
 .../src/Connection/Snowflake_Details.enso     | 16 +++-
 .../Snowflake/0.0.0-dev/src/OAuth_Test.enso   | 89 ++++++++++++++++---
 test-snowflake-oauth.enso                     |  4 +-
 4 files changed, 89 insertions(+), 21 deletions(-)

diff --git a/distribution/lib/Standard/Base/0.0.0-dev/src/Network/HTTP.enso b/distribution/lib/Standard/Base/0.0.0-dev/src/Network/HTTP.enso
index 3a597abc8c9a..bee4ce27cc8b 100644
--- a/distribution/lib/Standard/Base/0.0.0-dev/src/Network/HTTP.enso
+++ b/distribution/lib/Standard/Base/0.0.0-dev/src/Network/HTTP.enso
@@ -154,7 +154,6 @@ type HTTP
 
         handle_request_error <| Illegal_Argument.handle_java_exception <| check_output_context <| check_cache_policy <| Response_Too_Large.handle_java_exception <|
             headers = _resolve_headers req
-            Standard.Base.IO.println headers
             headers.if_not_error <|
                 resolved_body = _resolve_body req.body self.hash_method
                 resolved_body.if_not_error <|
diff --git a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/Connection/Snowflake_Details.enso b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/Connection/Snowflake_Details.enso
index 772d910e7fad..a04660e16453 100644
--- a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/Connection/Snowflake_Details.enso
+++ b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/Connection/Snowflake_Details.enso
@@ -11,6 +11,7 @@ import Standard.Database.Internal.Data_Link_Setup.Data_Link_Setup
 
 import project.Snowflake_Connection.Snowflake_Connection
 import project.OAuth_Test.Access_Token
+import project.OAuth_Test.Refresh_Token
 
 polyglot java import net.snowflake.client.jdbc.SnowflakeDriver
 
@@ -25,7 +26,7 @@ type Snowflake_Details
        - warehouse: The name of the warehouse to use.
     @account (Text_Input display=..Always)
     @credentials Credentials.default_widget
-    Snowflake (account:Text=(Missing_Argument.throw "account")) (credentials:Credentials|Access_Token=(Missing_Argument.throw "credentials")) database:Text="SNOWFLAKE" schema:Text="PUBLIC" warehouse:Text=""
+    Snowflake (account:Text=(Missing_Argument.throw "account")) (credentials:Credentials|Access_Token|Refresh_Token=(Missing_Argument.throw "credentials")) database:Text="SNOWFLAKE" schema:Text="PUBLIC" warehouse:Text=""
 
     ## PRIVATE
        Attempt to resolve the constructor.
@@ -69,9 +70,11 @@ type Snowflake_Details
             _ : Credentials ->
                 [Pair.new 'user' self.credentials.username, Pair.new 'password' self.credentials.password]
             token : Access_Token ->
-                if Date_Time.now > token.expiry then
-                    Error.throw (Illegal_State.Error "Access token has expired on "+token.expiry.to_display_text)
-                [Pair.new 'authenticator' 'oauth', Pair.new 'user' token.username, Pair.new 'token' token.token]
+                _keys_for_access_token token
+            refresh_token : Refresh_Token ->
+                access_token = refresh_token.exchange_for_access_token
+                _keys_for_access_token access_token
+
         database = [Pair.new 'db' self.database]
         schema = [Pair.new 'schema' self.schema]
         warehouse = if self.warehouse=="" then [] else [Pair.new 'warehouse' self.warehouse]
@@ -90,3 +93,8 @@ private create_data_link_structure details:Snowflake_Details data_link_location:
         warehouse_part = if details.warehouse.not_empty then [["warehouse", details.warehouse]] else []
         credential_part = [["credentials", credentials_json]]
         header + connection_part + schema_part + warehouse_part + credential_part
+
+private _keys_for_access_token (token : Access_Token) -> Vector =
+    if Date_Time.now > token.expiry then
+        Error.throw (Illegal_State.Error "Access token has expired on "+token.expiry.to_display_text)
+    [Pair.new 'authenticator' 'oauth', Pair.new 'user' token.username, Pair.new 'token' token.token]
diff --git a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
index bf4d2350ed17..47c8cb71e617 100644
--- a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
+++ b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
@@ -1,5 +1,7 @@
 from Standard.Base import all
 import Standard.Base.Data.Base_64.Base_64
+import Standard.Base.Errors.Common.Not_Found
+import Standard.Base.Errors.Illegal_State.Illegal_State
 import Standard.Base.Network.HTTP.Request_Body.Request_Body
 import Standard.Base.Runtime.Managed_Resource.Managed_Resource
 
@@ -7,23 +9,34 @@ import project.Connection.Snowflake_Details.Snowflake_Details
 
 polyglot java import org.enso.snowflake.OAuthCallback
 
-initiate_oauth -> Snowflake_Details =
-    Error.throw "TODO"
-
 perform_one_time_oauth account:Text role:Text =
-    uri = create_oauth_uri account role refresh_token=False
+    uri = create_authorization_uri account role refresh_token=False
     result = Managed_Resource.bracket (OAuthCallback.createCallbackServer 51234) (.close) server->
         # We start the server first to ensure we can 'reserve' the port before opening the browser
         IO.println "Please open "+uri.to_text+" in your browser and follow the instructions."
         server.waitForCallback
-    code_prefix = "code="
-    code = result
-        . split "&"
-        . find (e-> e.starts_with code_prefix)
-        . drop code_prefix.length
-    exchange_code_for_access_token account code
-
-create_oauth_uri account:Text role:Text refresh_token:Boolean -> URI =
+    code = OAuth_Callback_Response.decode result . code
+    exchange_one_time_code_for_access_token account code
+
+type OAuth_Callback_Response
+    Value code:Text state:Text|Nothing
+
+    decode response:Text -> OAuth_Callback_Response =
+        parts = response.split "&"
+        code_prefix = "code="
+        state_prefix = "state="
+        code = parts
+            . find (e-> e.starts_with code_prefix)
+            . drop code_prefix.length
+            . catch Not_Found _->
+                Error.throw (Illegal_State.Error "Malformed OAuth response: No code found.")
+        state = parts
+            . find (e-> e.starts_with state_prefix)
+            . drop state_prefix.length
+            . catch Not_Found _->Nothing
+        OAuth_Callback_Response.Value code state
+
+create_authorization_uri account:Text role:Text refresh_token:Boolean -> URI =
     # TODO add code_challenge for PKCE
     # TODO check that account does not contain any unexpected characters
     base_uri = URI.from "https://"+account+".snowflakecomputing.com/oauth/authorize"
@@ -44,15 +57,63 @@ type Access_Token
     to_display_text self -> Text =
         "Snowflake Access Token for "+self.username+" (expires at "+self.expiry.to_display_text+")"
 
-exchange_code_for_access_token account:Text code:Text -> Access_Token =
+exchange_one_time_code_for_access_token account:Text code:Text -> Access_Token =
     now = Date_Time.now
-    uri = URI.from "https://"+account+".snowflakecomputing.com/oauth/token-request"
+    uri = create_token_uri account
     params = Dictionary.from_vector [["grant_type", "authorization_code"], ["code", code], ["redirect_uri", redirect_uri]]
     request_body = Request_Body.Form_Data params url_encoded=True
     headers = [Header.authorization_basic client_id client_secret]
     response = Data.post uri body=request_body headers=headers response_format=JSON_Format
     Access_Token.Value (response.get "username") (response.get "access_token") (now + Duration.new seconds=(response.get "expires_in"))
 
+create_token_uri account:Text =
+    URI.from "https://"+account+".snowflakecomputing.com/oauth/token-request"
+
+authorize_for_refresh_token account:Text role:Text =
+    uri = create_authorization_uri account role refresh_token=True
+    result = Managed_Resource.bracket (OAuthCallback.createCallbackServer 51234) (.close) server->
+        # We start the server first to ensure we can 'reserve' the port before opening the browser
+        IO.println "Please open "+uri.to_text+" in your browser and follow the instructions."
+        server.waitForCallback
+    code = OAuth_Callback_Response.decode result . code
+    exchange_one_time_code_for_refresh_token account code
+
+exchange_one_time_code_for_refresh_token account:Text code:Text -> Refresh_Token =
+    now = Date_Time.now
+    uri = create_token_uri account
+    params = Dictionary.from_vector [["grant_type", "authorization_code"], ["code", code], ["redirect_uri", redirect_uri]]
+    request_body = Request_Body.Form_Data params url_encoded=True
+    headers = [Header.authorization_basic client_id client_secret]
+    response = Data.post uri body=request_body headers=headers response_format=JSON_Format
+    IO.println "exchanging one-time code for refresh token: "+response.to_text
+    Refresh_Token.Value account (response.get "username") (response.get "refresh_token") (now + Duration.new seconds=(response.get "refresh_token_expires_in"))
+
+type Refresh_Token
+    Value account:Text username:Text token:Text expiry:Date_Time
+
+    to_text self -> Text =
+        "Refresh_Token.Value "+self.account.pretty+" "+self.username.pretty+" *** "+self.expiry.to_text
+
+    to_display_text self -> Text =
+        "Snowflake Token for "+self.account+"/"+self.username+" (expires at "+self.expiry.to_display_text+")"
+
+    is_expired self -> Boolean =
+        Date_Time.now >= self.expiry
+
+    check self -> Nothing ! Illegal_State =
+        if self.is_expired then
+            Error.throw (Illegal_State.Error "Refresh token has expired on "+self.expiry.to_display_text)
+
+    exchange_for_access_token self -> Access_Token ! Illegal_State =
+        self.check
+        now = Date_Time.now
+        uri = create_token_uri self.account
+        params = Dictionary.from_vector [["grant_type", "refresh_token"], ["refresh_token", self.token]]
+        request_body = Request_Body.Form_Data params url_encoded=True
+        headers = [Header.authorization_basic client_id client_secret]
+        response = Data.post uri body=request_body headers=headers response_format=JSON_Format
+        IO.println "exchanging refresh token for access token: "+response.to_text
+        Access_Token.Value self.username (response.get "access_token") (now + Duration.new seconds=(response.get "expires_in"))
 
 client_id = Environment.get "SNOWFLAKE_APP_CLIENT_ID"
 client_secret = Environment.get "SNOWFLAKE_APP_CLIENT_SECRET"
diff --git a/test-snowflake-oauth.enso b/test-snowflake-oauth.enso
index b3cca2a1d910..fe08d907e472 100644
--- a/test-snowflake-oauth.enso
+++ b/test-snowflake-oauth.enso
@@ -7,8 +7,8 @@ import Standard.Snowflake.OAuth_Test
 
 main =
     account = "PUSMBUI-DP01445"
-    token = OAuth_Test.perform_one_time_oauth account role="CI"
-    connection = Database.connect (Snowflake_Details.Snowflake account=account credentials=token)
+    refresh_token = OAuth_Test.authorize_for_refresh_token account role="CI"
+    connection = Database.connect (Snowflake_Details.Snowflake account=account credentials=refresh_token)
     IO.println connection
     connection.tables.print
     connection.query (..Raw_SQL "SELECT 1+2, 3*4") . print

From 9f4fe81b98ac131888e62a293b8eaeb1c375bcc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Fri, 10 Jan 2025 17:28:15 +0100
Subject: [PATCH 06/17] remove debug prints

---
 .../lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso        | 2 --
 1 file changed, 2 deletions(-)

diff --git a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
index 47c8cb71e617..05e75fafc90d 100644
--- a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
+++ b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
@@ -85,7 +85,6 @@ exchange_one_time_code_for_refresh_token account:Text code:Text -> Refresh_Token
     request_body = Request_Body.Form_Data params url_encoded=True
     headers = [Header.authorization_basic client_id client_secret]
     response = Data.post uri body=request_body headers=headers response_format=JSON_Format
-    IO.println "exchanging one-time code for refresh token: "+response.to_text
     Refresh_Token.Value account (response.get "username") (response.get "refresh_token") (now + Duration.new seconds=(response.get "refresh_token_expires_in"))
 
 type Refresh_Token
@@ -112,7 +111,6 @@ type Refresh_Token
         request_body = Request_Body.Form_Data params url_encoded=True
         headers = [Header.authorization_basic client_id client_secret]
         response = Data.post uri body=request_body headers=headers response_format=JSON_Format
-        IO.println "exchanging refresh token for access token: "+response.to_text
         Access_Token.Value self.username (response.get "access_token") (now + Duration.new seconds=(response.get "expires_in"))
 
 client_id = Environment.get "SNOWFLAKE_APP_CLIENT_ID"

From 8b43eed2d27c3ddfb825bc0f56678efe58e42ca7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Mon, 13 Jan 2025 19:44:18 +0100
Subject: [PATCH 07/17] Google OAuth PoC in Sheets

---
 build.sbt                                     |  1 +
 .../0.0.0-dev/src/Google_Sheets.enso          | 19 ++++--
 .../0.0.0-dev/src/OAuth_Prototype.enso        | 64 +++++++++++++++++++
 .../Snowflake/0.0.0-dev/src/OAuth_Test.enso   |  4 +-
 .../ExternalLibrarySecretHelper.java          |  5 +-
 .../org/enso/base/oauth}/OAuthCallback.java   |  4 +-
 .../enso/google/GoogleOAuthSecretReader.java  | 20 ++++++
 test-google-oauth.enso                        | 11 ++++
 8 files changed, 118 insertions(+), 10 deletions(-)
 create mode 100644 distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
 rename std-bits/{snowflake/src/main/java/org/enso/snowflake => base/src/main/java/org/enso/base/oauth}/OAuthCallback.java (97%)
 create mode 100644 std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
 create mode 100644 test-google-oauth.enso

diff --git a/build.sbt b/build.sbt
index 814e197d7fc7..5522f26d6cfe 100644
--- a/build.sbt
+++ b/build.sbt
@@ -4807,6 +4807,7 @@ lazy val `std-google-api` = project
       result
     }.value
   )
+  .dependsOn(`std-base` % "provided")
   .dependsOn(`std-table` % "provided")
 
 lazy val `std-database` = project
diff --git a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso
index 81fad0ef566b..19519af865b9 100644
--- a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso
+++ b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso
@@ -3,6 +3,7 @@ import Standard.Base.Data.Array_Proxy.Array_Proxy
 import Standard.Base.Metadata.Display
 from Standard.Base.Metadata import make_single_choice, Widget
 from Standard.Base.Metadata.Widget import Single_Choice, Vector_Editor
+from Standard.Base.Enso_Cloud.Enso_Secret import as_hideable_value
 
 from Standard.Table import Table
 
@@ -13,6 +14,8 @@ polyglot java import com.google.api.services.sheets.v4.Sheets
 polyglot java import com.google.api.services.sheets.v4.SheetsScopes
 polyglot java import java.util.Collections
 
+polyglot java import org.enso.google.GoogleOAuthSecretReader
+
 type Google_Sheets
     ## PRIVATE
     Service java_service
@@ -21,15 +24,21 @@ type Google_Sheets
        Initializes the Google Sheets instance using the given credentials file.
 
        Arguments:
-       - secret_file: a file containing Google Service Account credentials to use to
+       - secret_file: a Cloud secret or a file containing Google Service Account credentials to use to
          access Google services. The credentials file can be downloaded from the
          Google Admin Console when generating a key.
-    initialize : File -> Google_Sheets
+    initialize : File|Enso_Secret -> Google_Sheets
     initialize secret_file =
         app_name = 'Enso'
-        credential = secret_file.with_input_stream [File_Access.Read] stream->
-            stream.with_java_stream is->
-                GoogleCredential.fromStream is . createScoped (Collections.singleton SheetsScopes.SPREADSHEETS)
+        base_credential = case secret_file of
+            secret : Enso_Secret ->
+                # TODO to avoid passing credentials around, prod should probably create instance of Sheets and return it here
+                GoogleOAuthSecretReader.createCredentialFromSecretValue (as_hideable_value secret)
+            _ ->
+                secret_file.with_input_stream [File_Access.Read] stream->
+                    stream.with_java_stream is->
+                        GoogleCredential.fromStream is
+        credential = base_credential.createScoped (Collections.singleton SheetsScopes.SPREADSHEETS)
         http_transport = GoogleNetHttpTransport.newTrustedTransport
         json_factory = GsonFactory.getDefaultInstance
         service = Sheets.Builder.new http_transport json_factory credential . setApplicationName app_name . build
diff --git a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
new file mode 100644
index 000000000000..52e6c5b5dc8e
--- /dev/null
+++ b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
@@ -0,0 +1,64 @@
+from Standard.Base import all
+import Standard.Base.Data.Base_64.Base_64
+import Standard.Base.Errors.Common.Not_Found
+import Standard.Base.Errors.Illegal_State.Illegal_State
+import Standard.Base.Network.HTTP.Request_Body.Request_Body
+import Standard.Base.Runtime.Managed_Resource.Managed_Resource
+
+polyglot java import org.enso.base.oauth.OAuthCallback
+
+authenticate_service scopes:Vector secret_name:Text location:Enso_File=Enso_File.home -> Enso_Secret =
+    uri = create_authorization_uri scopes
+    result = Managed_Resource.bracket (OAuthCallback.createCallbackServer 51234) (.close) server->
+        # We start the server first to ensure we can 'reserve' the port before opening the browser
+        IO.println "Please open "+uri.to_text+" in your browser and follow the instructions."
+        server.waitForCallback
+    code = OAuth_Callback_Response.decode result . code
+
+    refresh_token = exchange_one_time_code_for_refresh_token code
+    Enso_Secret.create secret_name (make_secret_payload refresh_token) parent=location
+
+exchange_one_time_code_for_refresh_token code:Text -> Text =
+    uri = create_token_uri
+    params = Dictionary.from_vector [["grant_type", "authorization_code"], ["code", code], ["redirect_uri", redirect_uri], ["client_id", client_id], ["client_secret", client_secret]]
+    request_body = Request_Body.Form_Data params url_encoded=True
+    response = Data.post uri body=request_body response_format=JSON_Format
+    response.get "refresh_token"
+
+
+make_secret_payload refresh_token:Text -> Text =
+    JS_Object.from_pairs [["type", "authorized_user"], ["refresh_token", refresh_token], ["client_id", client_id], ["client_secret", client_secret]]
+
+create_authorization_uri scopes:Vector -> URI =
+    URI.from "https://accounts.google.com/o/oauth2/v2/auth"
+        . add_query_argument "response_type" "code"
+        . add_query_argument "access_type" "offline"
+        . add_query_argument "client_id" client_id
+        . add_query_argument "redirect_uri" redirect_uri
+        . add_query_argument "scope" (scopes.join " ")
+        . add_query_argument "state" "foobar"
+
+create_token_uri -> URI =
+    URI.from "https://oauth2.googleapis.com/token"
+
+client_id = Environment.get "GOOGLE_APP_CLIENT_ID"
+client_secret = Environment.get "GOOGLE_APP_CLIENT_SECRET"
+redirect_uri = "http://localhost:51234/oauth"
+
+type OAuth_Callback_Response
+    Value code:Text state:Text|Nothing
+
+    decode response:Text -> OAuth_Callback_Response =
+        parts = response.split "&"
+        code_prefix = "code="
+        state_prefix = "state="
+        code = parts
+            . find (e-> e.starts_with code_prefix)
+            . drop code_prefix.length
+            . catch Not_Found _->
+                Error.throw (Illegal_State.Error "Malformed OAuth response: No code found.")
+        state = parts
+            . find (e-> e.starts_with state_prefix)
+            . drop state_prefix.length
+            . catch Not_Found _->Nothing
+        OAuth_Callback_Response.Value code state
diff --git a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
index 05e75fafc90d..b4c1f7e3de53 100644
--- a/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
+++ b/distribution/lib/Standard/Snowflake/0.0.0-dev/src/OAuth_Test.enso
@@ -7,7 +7,7 @@ import Standard.Base.Runtime.Managed_Resource.Managed_Resource
 
 import project.Connection.Snowflake_Details.Snowflake_Details
 
-polyglot java import org.enso.snowflake.OAuthCallback
+polyglot java import org.enso.base.oauth.OAuthCallback
 
 perform_one_time_oauth account:Text role:Text =
     uri = create_authorization_uri account role refresh_token=False
@@ -115,4 +115,4 @@ type Refresh_Token
 
 client_id = Environment.get "SNOWFLAKE_APP_CLIENT_ID"
 client_secret = Environment.get "SNOWFLAKE_APP_CLIENT_SECRET"
-redirect_uri = "http://localhost:51234/snowflake"
+redirect_uri = "http://localhost:51234/oauth"
diff --git a/std-bits/base/src/main/java/org/enso/base/enso_cloud/ExternalLibrarySecretHelper.java b/std-bits/base/src/main/java/org/enso/base/enso_cloud/ExternalLibrarySecretHelper.java
index 2d384a24d956..b9bb7089862d 100644
--- a/std-bits/base/src/main/java/org/enso/base/enso_cloud/ExternalLibrarySecretHelper.java
+++ b/std-bits/base/src/main/java/org/enso/base/enso_cloud/ExternalLibrarySecretHelper.java
@@ -50,5 +50,8 @@ private static void checkAccess() throws EnsoSecretAccessDenied {
   private record AccessLocation(String className, String method) {}
 
   private static final List<AccessLocation> allowedAccessLocations =
-      List.of(new AccessLocation("org.enso.aws.ClientBuilder", "unsafeResolveSecrets"));
+      List.of(
+          new AccessLocation("org.enso.aws.ClientBuilder", "unsafeResolveSecrets"),
+          new AccessLocation("org.enso.google.GoogleOAuthSecretReader", "createCredentialFromSecretValue")
+      );
 }
diff --git a/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java b/std-bits/base/src/main/java/org/enso/base/oauth/OAuthCallback.java
similarity index 97%
rename from std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
rename to std-bits/base/src/main/java/org/enso/base/oauth/OAuthCallback.java
index 061d04fbbf92..54c41a591112 100644
--- a/std-bits/snowflake/src/main/java/org/enso/snowflake/OAuthCallback.java
+++ b/std-bits/base/src/main/java/org/enso/base/oauth/OAuthCallback.java
@@ -1,4 +1,4 @@
-package org.enso.snowflake;
+package org.enso.base.oauth;
 
 import com.sun.net.httpserver.HttpServer;
 
@@ -32,7 +32,7 @@ private static final class CallbackServerImplementation implements CallbackServe
     private CallbackServerImplementation(int port) throws IOException {
       InetSocketAddress address = new InetSocketAddress("localhost", port);
       server = HttpServer.create(address, 0);
-      server.createContext("/snowflake", exchange -> {
+      server.createContext("/oauth", exchange -> {
         var query = exchange.getRequestURI().getQuery();
 //        System.out.println("method = " + exchange.getRequestMethod());
 //        System.out.println("query = " + query);
diff --git a/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java b/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
new file mode 100644
index 000000000000..fddbe065cd01
--- /dev/null
+++ b/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
@@ -0,0 +1,20 @@
+package org.enso.google;
+
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import org.enso.base.enso_cloud.ExternalLibrarySecretHelper;
+import org.enso.base.enso_cloud.HideableValue;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+public class GoogleOAuthSecretReader {
+  public static GoogleCredential createCredentialFromSecretValue(HideableValue secretValue) {
+    String payload = ExternalLibrarySecretHelper.resolveValue(secretValue);
+    ByteArrayInputStream stream = new ByteArrayInputStream(payload.getBytes());
+    try {
+      return GoogleCredential.fromStream(stream);
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}
diff --git a/test-google-oauth.enso b/test-google-oauth.enso
new file mode 100644
index 000000000000..902ec9020902
--- /dev/null
+++ b/test-google-oauth.enso
@@ -0,0 +1,11 @@
+from Standard.Base import all
+from Standard.Google_Api import all
+import Standard.Google_Api.OAuth_Prototype
+
+main =
+    scopes = []
+    secret = OAuth_Prototype.authenticate_service scopes "google-sheets"
+    google_sheets = Google_Sheets.initialize secret
+    table = google_sheets.get_table "1Xa1cXLN4oeCl7FpD_IErfOMHhFuShpc1S5Buc0UF4b0" "Sheet1"
+    IO.println table
+    table.print

From cbbcf969c00f636eaa5d4d9c09040ba7161b1d2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Tue, 14 Jan 2025 13:53:48 +0100
Subject: [PATCH 08/17] a few fixes: ensure env vars, check has some scopes,
 ensure refresh token is returned by adding prompt, add label to secret

---
 .../0.0.0-dev/src/OAuth_Prototype.enso         | 18 ++++++++++++++----
 test-google-oauth.enso                         |  2 +-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
index 52e6c5b5dc8e..73dfce8b6758 100644
--- a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
+++ b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
@@ -16,33 +16,43 @@ authenticate_service scopes:Vector secret_name:Text location:Enso_File=Enso_File
     code = OAuth_Callback_Response.decode result . code
 
     refresh_token = exchange_one_time_code_for_refresh_token code
-    Enso_Secret.create secret_name (make_secret_payload refresh_token) parent=location
+    secret = Enso_Secret.create secret_name (make_secret_payload refresh_token) parent=location
+    Enso_File.new secret.path . add_label "Credentials"
+    secret
+
 
 exchange_one_time_code_for_refresh_token code:Text -> Text =
     uri = create_token_uri
     params = Dictionary.from_vector [["grant_type", "authorization_code"], ["code", code], ["redirect_uri", redirect_uri], ["client_id", client_id], ["client_secret", client_secret]]
     request_body = Request_Body.Form_Data params url_encoded=True
     response = Data.post uri body=request_body response_format=JSON_Format
+    IO.println response
     response.get "refresh_token"
 
-
 make_secret_payload refresh_token:Text -> Text =
     JS_Object.from_pairs [["type", "authorized_user"], ["refresh_token", refresh_token], ["client_id", client_id], ["client_secret", client_secret]]
+        . to_json
 
 create_authorization_uri scopes:Vector -> URI =
+    if scopes.is_empty then
+        Panic.throw (Illegal_State.Error "No scopes provided.")
     URI.from "https://accounts.google.com/o/oauth2/v2/auth"
         . add_query_argument "response_type" "code"
         . add_query_argument "access_type" "offline"
         . add_query_argument "client_id" client_id
         . add_query_argument "redirect_uri" redirect_uri
         . add_query_argument "scope" (scopes.join " ")
+        # Add prompt=consent to ensure that refresh token is returned always, not only first time...
+        . add_query_argument "prompt" "consent"
         . add_query_argument "state" "foobar"
 
 create_token_uri -> URI =
     URI.from "https://oauth2.googleapis.com/token"
 
-client_id = Environment.get "GOOGLE_APP_CLIENT_ID"
-client_secret = Environment.get "GOOGLE_APP_CLIENT_SECRET"
+get_env_var name:Text -> Text =
+    Environment.get name if_missing=(Panic.throw (Illegal_State.Error "Environment variable not set: "+name))
+client_id = get_env_var "GOOGLE_APP_CLIENT_ID"
+client_secret = get_env_var "GOOGLE_APP_CLIENT_SECRET"
 redirect_uri = "http://localhost:51234/oauth"
 
 type OAuth_Callback_Response
diff --git a/test-google-oauth.enso b/test-google-oauth.enso
index 902ec9020902..4887c4198000 100644
--- a/test-google-oauth.enso
+++ b/test-google-oauth.enso
@@ -3,7 +3,7 @@ from Standard.Google_Api import all
 import Standard.Google_Api.OAuth_Prototype
 
 main =
-    scopes = []
+    scopes = ["https://www.googleapis.com/auth/spreadsheets", "https://www.googleapis.com/auth/drive"]
     secret = OAuth_Prototype.authenticate_service scopes "google-sheets"
     google_sheets = Google_Sheets.initialize secret
     table = google_sheets.get_table "1Xa1cXLN4oeCl7FpD_IErfOMHhFuShpc1S5Buc0UF4b0" "Sheet1"

From 6e823031f5e116ca790241b1d63457e2f86bf1bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Tue, 14 Jan 2025 17:07:41 +0100
Subject: [PATCH 09/17] update Google APIs to newer version to resolve a buggy
 version check issue

related: https://stackoverflow.com/questions/73826431/compatibility-problems-when-using-2-0-0-google-api-client-for-gmail-calls
---
 build.sbt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/build.sbt b/build.sbt
index 5522f26d6cfe..aeb310e2ae9f 100644
--- a/build.sbt
+++ b/build.sbt
@@ -599,10 +599,10 @@ val jline = Seq(
 )
 
 // === Google =================================================================
-val googleApiClientVersion         = "2.2.0"
-val googleApiServicesSheetsVersion = "v4-rev612-1.25.0"
-val googleAnalyticsAdminVersion    = "0.62.0"
-val googleAnalyticsDataVersion     = "0.63.0"
+val googleApiClientVersion         = "2.7.1"
+val googleApiServicesSheetsVersion = "v4-rev20250106-2.0.0"
+val googleAnalyticsAdminVersion    = "0.66.0"
+val googleAnalyticsDataVersion     = "0.67.0"
 
 // === Other ==================================================================
 

From b574797d69ce1fa94ffd8e7fbfaaaa97ebc1977a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Tue, 14 Jan 2025 19:53:43 +0100
Subject: [PATCH 10/17] fixes to Google_Sheets to update it to changes in Enso

---
 .../0.0.0-dev/src/Google_Sheets.enso          | 23 +++++++++++++++----
 .../org/enso/google/GoogleSheetsHelpers.java  | 19 +++++++++++++++
 2 files changed, 37 insertions(+), 5 deletions(-)
 create mode 100644 std-bits/google-api/src/main/java/org/enso/google/GoogleSheetsHelpers.java

diff --git a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso
index 19519af865b9..79f411bad67c 100644
--- a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso
+++ b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso
@@ -12,9 +12,11 @@ polyglot java import com.google.api.client.googleapis.javanet.GoogleNetHttpTrans
 polyglot java import com.google.api.client.json.gson.GsonFactory
 polyglot java import com.google.api.services.sheets.v4.Sheets
 polyglot java import com.google.api.services.sheets.v4.SheetsScopes
+polyglot java import java.io.IOException
 polyglot java import java.util.Collections
 
 polyglot java import org.enso.google.GoogleOAuthSecretReader
+polyglot java import org.enso.google.GoogleSheetsHelpers
 
 type Google_Sheets
     ## PRIVATE
@@ -54,8 +56,19 @@ type Google_Sheets
          `'Sheet1!A1:B7'`.
     get_table : Text -> Text -> Table
     get_table self sheet_id sheet_range =
-        request = self.java_service.spreadsheets.values.get sheet_id sheet_range . setMajorDimension 'COLUMNS' . setValueRenderOption 'UNFORMATTED_VALUE'
-        response = request.execute
-        values = Vector.from_polyglot_array response.getValues
-        columned = values.map v-> [v.first, v.drop 1]
-        Table.new columned
+        values = _handle_exceptions <|
+            GoogleSheetsHelpers.getSheetRange self.java_service sheet_id sheet_range
+        # The first entry is the column name (A, B, ...) and the rest are the values.
+        column_vectors = values.map v-> [v.first, v.drop 1]
+        # The column lengths may not necessarily be the same, but Table.new expects the same lengths, so we normalize:
+        row_count = column_vectors.map (p-> p.second.length) . compute ..Maximum
+        normalized = column_vectors.map p->
+            [p.first, p.second.pad row_count Nothing]
+        Table.new normalized
+
+type Google_Api_Error
+    Error message cause
+
+private _handle_exceptions ~action =
+    Panic.catch IOException action caught_panic->
+        Error.throw (Google_Api_Error.Error caught_panic.payload.to_text caught_panic.payload)
diff --git a/std-bits/google-api/src/main/java/org/enso/google/GoogleSheetsHelpers.java b/std-bits/google-api/src/main/java/org/enso/google/GoogleSheetsHelpers.java
new file mode 100644
index 000000000000..f6c5f57692cf
--- /dev/null
+++ b/std-bits/google-api/src/main/java/org/enso/google/GoogleSheetsHelpers.java
@@ -0,0 +1,19 @@
+package org.enso.google;
+
+import com.google.api.services.sheets.v4.Sheets;
+
+import java.io.IOException;
+import java.util.List;
+
+public class GoogleSheetsHelpers {
+  /*
+   * We need to use this helper instead of calling the API directly from within Enso, because the intermediate values: Get request and Value implement AbstractMap which makes Enso convert them to the Enso Dictionary type and leaves us without access to their more specific methods.
+   */
+  public static List<List<Object>> getSheetRange(Sheets service, String sheetId, String range) throws IOException {
+    return service.spreadsheets().values().get(sheetId, range)
+        .setMajorDimension("COLUMNS")
+        .setValueRenderOption("UNFORMATTED_VALUE")
+        .execute()
+        .getValues();
+  }
+}

From dc0487c76863bbd45a9feb28b5a40f3f3e9ed3b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Tue, 14 Jan 2025 19:53:52 +0100
Subject: [PATCH 11/17] update sample script

---
 test-google-oauth.enso | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/test-google-oauth.enso b/test-google-oauth.enso
index 4887c4198000..da58ced864b1 100644
--- a/test-google-oauth.enso
+++ b/test-google-oauth.enso
@@ -1,10 +1,14 @@
 from Standard.Base import all
+import Standard.Base.Errors.Common.Not_Found
+
 from Standard.Google_Api import all
 import Standard.Google_Api.OAuth_Prototype
 
 main =
-    scopes = ["https://www.googleapis.com/auth/spreadsheets", "https://www.googleapis.com/auth/drive"]
-    secret = OAuth_Prototype.authenticate_service scopes "google-sheets"
+    secret_name = "google-sheets-3"
+    secret = Enso_Secret.get secret_name . catch Not_Found _->
+        scopes = ["https://www.googleapis.com/auth/spreadsheets", "https://www.googleapis.com/auth/drive"]
+        OAuth_Prototype.authenticate_service scopes "google-sheets-3"
     google_sheets = Google_Sheets.initialize secret
     table = google_sheets.get_table "1Xa1cXLN4oeCl7FpD_IErfOMHhFuShpc1S5Buc0UF4b0" "Sheet1"
     IO.println table

From d01e09bf7b3e87747e98319937a77857cd288f3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Wed, 15 Jan 2025 18:57:40 +0100
Subject: [PATCH 12/17] experiment: sharing token between clients?

---
 .../Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso    | 4 +++-
 test-google-oauth.enso                                        | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
index 73dfce8b6758..44a356170c87 100644
--- a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
+++ b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
@@ -30,7 +30,7 @@ exchange_one_time_code_for_refresh_token code:Text -> Text =
     response.get "refresh_token"
 
 make_secret_payload refresh_token:Text -> Text =
-    JS_Object.from_pairs [["type", "authorized_user"], ["refresh_token", refresh_token], ["client_id", client_id], ["client_secret", client_secret]]
+    JS_Object.from_pairs [["type", "authorized_user"], ["refresh_token", refresh_token], ["client_id", desktop_client_id], ["client_secret", desktop_client_secret]]
         . to_json
 
 create_authorization_uri scopes:Vector -> URI =
@@ -53,6 +53,8 @@ get_env_var name:Text -> Text =
     Environment.get name if_missing=(Panic.throw (Illegal_State.Error "Environment variable not set: "+name))
 client_id = get_env_var "GOOGLE_APP_CLIENT_ID"
 client_secret = get_env_var "GOOGLE_APP_CLIENT_SECRET"
+desktop_client_id = get_env_var "GOOGLE_APP_DESKTOP_CLIENT_ID"
+desktop_client_secret = get_env_var "GOOGLE_APP_DESKTOP_CLIENT_SECRET"
 redirect_uri = "http://localhost:51234/oauth"
 
 type OAuth_Callback_Response
diff --git a/test-google-oauth.enso b/test-google-oauth.enso
index da58ced864b1..37eaa2c52dc3 100644
--- a/test-google-oauth.enso
+++ b/test-google-oauth.enso
@@ -5,10 +5,10 @@ from Standard.Google_Api import all
 import Standard.Google_Api.OAuth_Prototype
 
 main =
-    secret_name = "google-sheets-3"
+    secret_name = "google-sheets-4"
     secret = Enso_Secret.get secret_name . catch Not_Found _->
         scopes = ["https://www.googleapis.com/auth/spreadsheets", "https://www.googleapis.com/auth/drive"]
-        OAuth_Prototype.authenticate_service scopes "google-sheets-3"
+        OAuth_Prototype.authenticate_service scopes "google-sheets-4"
     google_sheets = Google_Sheets.initialize secret
     table = google_sheets.get_table "1Xa1cXLN4oeCl7FpD_IErfOMHhFuShpc1S5Buc0UF4b0" "Sheet1"
     IO.println table

From 1c7bd477831f494225c9d75e274144aeb02f7f11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Wed, 15 Jan 2025 19:01:05 +0100
Subject: [PATCH 13/17] revert the failed experiment

---
 .../Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso    | 4 +---
 test-google-oauth.enso                                        | 4 ++--
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
index 44a356170c87..73dfce8b6758 100644
--- a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
+++ b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/OAuth_Prototype.enso
@@ -30,7 +30,7 @@ exchange_one_time_code_for_refresh_token code:Text -> Text =
     response.get "refresh_token"
 
 make_secret_payload refresh_token:Text -> Text =
-    JS_Object.from_pairs [["type", "authorized_user"], ["refresh_token", refresh_token], ["client_id", desktop_client_id], ["client_secret", desktop_client_secret]]
+    JS_Object.from_pairs [["type", "authorized_user"], ["refresh_token", refresh_token], ["client_id", client_id], ["client_secret", client_secret]]
         . to_json
 
 create_authorization_uri scopes:Vector -> URI =
@@ -53,8 +53,6 @@ get_env_var name:Text -> Text =
     Environment.get name if_missing=(Panic.throw (Illegal_State.Error "Environment variable not set: "+name))
 client_id = get_env_var "GOOGLE_APP_CLIENT_ID"
 client_secret = get_env_var "GOOGLE_APP_CLIENT_SECRET"
-desktop_client_id = get_env_var "GOOGLE_APP_DESKTOP_CLIENT_ID"
-desktop_client_secret = get_env_var "GOOGLE_APP_DESKTOP_CLIENT_SECRET"
 redirect_uri = "http://localhost:51234/oauth"
 
 type OAuth_Callback_Response
diff --git a/test-google-oauth.enso b/test-google-oauth.enso
index 37eaa2c52dc3..c225c8ddbae8 100644
--- a/test-google-oauth.enso
+++ b/test-google-oauth.enso
@@ -5,10 +5,10 @@ from Standard.Google_Api import all
 import Standard.Google_Api.OAuth_Prototype
 
 main =
-    secret_name = "google-sheets-4"
+    secret_name = "google-sheets-"+(Random.uuid.take 4)
     secret = Enso_Secret.get secret_name . catch Not_Found _->
         scopes = ["https://www.googleapis.com/auth/spreadsheets", "https://www.googleapis.com/auth/drive"]
-        OAuth_Prototype.authenticate_service scopes "google-sheets-4"
+        OAuth_Prototype.authenticate_service scopes secret_name
     google_sheets = Google_Sheets.initialize secret
     table = google_sheets.get_table "1Xa1cXLN4oeCl7FpD_IErfOMHhFuShpc1S5Buc0UF4b0" "Sheet1"
     IO.println table

From 8e97bb80c8957220aece4fcee6275a64b156f186 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Wed, 15 Jan 2025 19:41:47 +0100
Subject: [PATCH 14/17] using non deprecated Credentials API

---
 .../Google_Api/0.0.0-dev/src/Google_Sheets.enso   |  5 +----
 .../org/enso/google/GoogleOAuthSecretReader.java  |  6 +++---
 .../java/org/enso/google/GoogleSheetsHelpers.java | 15 +++++++++++++++
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso
index 79f411bad67c..030ec35708fd 100644
--- a/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso
+++ b/distribution/lib/Standard/Google_Api/0.0.0-dev/src/Google_Sheets.enso
@@ -31,7 +31,6 @@ type Google_Sheets
          Google Admin Console when generating a key.
     initialize : File|Enso_Secret -> Google_Sheets
     initialize secret_file =
-        app_name = 'Enso'
         base_credential = case secret_file of
             secret : Enso_Secret ->
                 # TODO to avoid passing credentials around, prod should probably create instance of Sheets and return it here
@@ -41,9 +40,7 @@ type Google_Sheets
                     stream.with_java_stream is->
                         GoogleCredential.fromStream is
         credential = base_credential.createScoped (Collections.singleton SheetsScopes.SPREADSHEETS)
-        http_transport = GoogleNetHttpTransport.newTrustedTransport
-        json_factory = GsonFactory.getDefaultInstance
-        service = Sheets.Builder.new http_transport json_factory credential . setApplicationName app_name . build
+        service = GoogleSheetsHelpers.createService credential
         Google_Sheets.Service service
 
     ## ICON data_input
diff --git a/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java b/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
index fddbe065cd01..b837b4f19df9 100644
--- a/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
+++ b/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
@@ -1,6 +1,6 @@
 package org.enso.google;
 
-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import com.google.auth.oauth2.GoogleCredentials;
 import org.enso.base.enso_cloud.ExternalLibrarySecretHelper;
 import org.enso.base.enso_cloud.HideableValue;
 
@@ -8,11 +8,11 @@
 import java.io.IOException;
 
 public class GoogleOAuthSecretReader {
-  public static GoogleCredential createCredentialFromSecretValue(HideableValue secretValue) {
+  public static GoogleCredentials createCredentialFromSecretValue(HideableValue secretValue) {
     String payload = ExternalLibrarySecretHelper.resolveValue(secretValue);
     ByteArrayInputStream stream = new ByteArrayInputStream(payload.getBytes());
     try {
-      return GoogleCredential.fromStream(stream);
+      return GoogleCredentials.fromStream(stream);
     } catch (IOException e) {
       throw new RuntimeException(e);
     }
diff --git a/std-bits/google-api/src/main/java/org/enso/google/GoogleSheetsHelpers.java b/std-bits/google-api/src/main/java/org/enso/google/GoogleSheetsHelpers.java
index f6c5f57692cf..23c5b22f397c 100644
--- a/std-bits/google-api/src/main/java/org/enso/google/GoogleSheetsHelpers.java
+++ b/std-bits/google-api/src/main/java/org/enso/google/GoogleSheetsHelpers.java
@@ -1,8 +1,13 @@
 package org.enso.google;
 
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.services.sheets.v4.Sheets;
+import com.google.auth.http.HttpCredentialsAdapter;
+import com.google.auth.oauth2.GoogleCredentials;
 
 import java.io.IOException;
+import java.security.GeneralSecurityException;
 import java.util.List;
 
 public class GoogleSheetsHelpers {
@@ -16,4 +21,14 @@ public static List<List<Object>> getSheetRange(Sheets service, String sheetId, S
         .execute()
         .getValues();
   }
+
+  public static Sheets createService(GoogleCredentials credentials) throws GeneralSecurityException, IOException {
+    var credentialsAdapter = new HttpCredentialsAdapter(credentials);
+    Sheets.Builder builder = new Sheets.Builder(
+        GoogleNetHttpTransport.newTrustedTransport(),
+        GsonFactory.getDefaultInstance(),
+        credentialsAdapter
+    ).setApplicationName("Enso");
+    return builder.build();
+  }
 }

From 4dac04d266b624ab6c5a0ce8ec9ccd7ee4fc3865 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Wed, 15 Jan 2025 19:59:25 +0100
Subject: [PATCH 15/17] experiment - overriding google credentials with
 'custom' refresh logic

---
 .../enso/google/GoogleOAuthSecretReader.java  | 40 ++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java b/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
index b837b4f19df9..9ec7341ba540 100644
--- a/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
+++ b/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
@@ -1,20 +1,58 @@
 package org.enso.google;
 
+import com.google.auth.oauth2.AccessToken;
 import com.google.auth.oauth2.GoogleCredentials;
+import com.google.auth.oauth2.UserCredentials;
 import org.enso.base.enso_cloud.ExternalLibrarySecretHelper;
 import org.enso.base.enso_cloud.HideableValue;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.util.List;
+import java.util.Map;
 
 public class GoogleOAuthSecretReader {
   public static GoogleCredentials createCredentialFromSecretValue(HideableValue secretValue) {
     String payload = ExternalLibrarySecretHelper.resolveValue(secretValue);
     ByteArrayInputStream stream = new ByteArrayInputStream(payload.getBytes());
     try {
-      return GoogleCredentials.fromStream(stream);
+      var loadedCredentials = UserCredentials.fromStream(stream);
+      return new CloudRenewableGoogleCredentials(loadedCredentials);
     } catch (IOException e) {
       throw new RuntimeException(e);
     }
   }
+
+  private static class CloudRenewableGoogleCredentials extends GoogleCredentials {
+    private final UserCredentials underlying;
+    private AccessToken token = null;
+
+    public CloudRenewableGoogleCredentials(UserCredentials underlying) {
+      super();
+      this.underlying = underlying;
+    }
+
+    @Override
+    public void refresh() throws IOException {
+      System.err.println("Refreshing credentials: here we could query the Enso Cloud instead");
+      token = underlying.refreshAccessToken();
+    }
+
+    @Override
+    public AccessToken refreshAccessToken() throws IOException {
+      refresh();
+      return token;
+    }
+
+    @Override
+    public Map<String, List<String>> getRequestMetadata() throws IOException {
+      if (token == null) {
+        refresh();
+      }
+
+      return Map.of(
+          "Authorization", List.of("Bearer "+token.getTokenValue())
+      );
+    }
+  }
 }

From f983aa590bc47efc5c0af3725f8b024046e0f936 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Mon, 3 Mar 2025 22:38:45 +0100
Subject: [PATCH 16/17] bump dep to match

---
 build.sbt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.sbt b/build.sbt
index e7e99e6afcd7..4b40b48058ff 100644
--- a/build.sbt
+++ b/build.sbt
@@ -607,7 +607,7 @@ val googleApiClientVersion         = "2.7.1"
 val googleApiServicesSheetsVersion = "v4-rev20250106-2.0.0"
 val googleAnalyticsAdminVersion    = "0.66.0"
 val googleAnalyticsDataVersion     = "0.67.0"
-val grpcVersion                    = "1.67.1"
+val grpcVersion                    = "1.69.0"
 
 // === Other ==================================================================
 

From e0bd5da58418964dfec01894c93e81be29656ae6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Wa=C5=9Bko?= <radoslaw.wasko@enso.org>
Date: Thu, 6 Mar 2025 20:35:46 +0100
Subject: [PATCH 17/17] Add a command line to generate Cloud credentials

---
 build_tools/build/src/cloud_tests/mod.rs | 5 +++++
 build_tools/cli/src/arg/backend.rs       | 3 +++
 build_tools/cli/src/lib.rs               | 7 +++++++
 3 files changed, 15 insertions(+)

diff --git a/build_tools/build/src/cloud_tests/mod.rs b/build_tools/build/src/cloud_tests/mod.rs
index 50395ad11d35..98e442edb3d1 100644
--- a/build_tools/build/src/cloud_tests/mod.rs
+++ b/build_tools/build/src/cloud_tests/mod.rs
@@ -33,6 +33,11 @@ pub async fn prepare_credentials_file(auth_config: AuthConfig) -> Result<NamedTe
     Ok(credentials_temp_file)
 }
 
+pub async fn build_credentials_file(auth_config: AuthConfig, path: &Path) -> Result<()> {
+    let credentials = build_credentials(auth_config).await?;
+    save_credentials(&credentials, path)
+}
+
 #[derive(Debug)]
 pub struct AuthConfig {
     web_client_id: String,
diff --git a/build_tools/cli/src/arg/backend.rs b/build_tools/cli/src/arg/backend.rs
index 0509dae3f068..b902a64ac80e 100644
--- a/build_tools/cli/src/arg/backend.rs
+++ b/build_tools/cli/src/arg/backend.rs
@@ -59,6 +59,9 @@ pub enum Command {
     CiCheck {},
     /// Perform the stdlib API checks
     StdlibApiCheck {},
+
+    /// Generate Cloud credentials
+    GenerateCloudCredentials {},
 }
 
 #[derive(Args, Clone, Debug, PartialEq)]
diff --git a/build_tools/cli/src/lib.rs b/build_tools/cli/src/lib.rs
index 2b0ea8029685..e5a43e3b3555 100644
--- a/build_tools/cli/src/lib.rs
+++ b/build_tools/cli/src/lib.rs
@@ -29,6 +29,7 @@ use crate::arg::WatchJob;
 use anyhow::Context;
 use arg::BuildDescription;
 use clap::Parser;
+use enso_build::cloud_tests;
 use enso_build::config::Config;
 use enso_build::context::BuildContext;
 use enso_build::engine::context::EnginePackageProvider;
@@ -449,6 +450,12 @@ impl Processor {
                 .void_ok()
                 .boxed()
             }
+            arg::backend::Command::GenerateCloudCredentials {} => async move {
+                let auth_config = cloud_tests::build_auth_config_from_environment()?;
+                let path = Path::new("enso.credentials");
+                cloud_tests::build_credentials_file(auth_config, path).await
+            }
+            .boxed(),
         }
     }