Xuanwo opened a new issue, #685:
URL: https://github.com/apache/opendal-reqsign/issues/685
## Background
reqsign's goal is to provide a unified credential loading + request signing
implementation for all OpenDAL services, so OpenDAL backends can remove
per-service auth code.
## Current progress (OpenDAL integration)
The following OpenDAL services are already using reqsign-based credential
loading and/or signing:
- AWS S3: `reqsign-aws-v4` + `reqsign-core` (including AssumeRole credential
chain)
- Aliyun OSS: `reqsign-aliyun-oss`
- Tencent COS: `reqsign-tencent-cos`
- HuaweiCloud OBS: `reqsign-huaweicloud-obs`
- Azure Storage (azblob/azfile/azdls, plus ghac writer):
`reqsign-azure-storage`
- Google Cloud Storage (GCS): `reqsign-google`
(Observed in OpenDAL worktree `opendal/treat-despair` on 2026-01-26.)
## Remaining OpenDAL services with local auth implementations
The following OpenDAL services still implement local credential/token
loading and/or signing logic without reqsign:
- `aliyun-drive` (OAuth refresh flow, local signer)
- `b2` (authorize-account exchange + token cache/refresh)
- `seafile` (token fetch + cache, repo id discovery)
- `koofr` (email/password -> token exchange + cache)
- `onedrive` (OAuth2 refresh flow, token cache)
- `dropbox` (Bearer access token injection)
- `gdrive` (Bearer access token injection)
- `github` (optional Bearer token injection + fixed headers)
- `cloudflare-kv` (Authorization header injection)
- `vercel-blob` (Bearer token injection)
- `yandex-disk` (OAuth token injection)
- `swift` (X-Auth-Token header injection)
- `upyun` (HMAC-based request signature)
## Proposed task breakdown (reqsign side)
### A. Token-only / header injection
Target services:
- `github` (Bearer token + fixed headers)
- `vercel-blob` (`Authorization: Bearer <token>`)
- `yandex-disk` (`Authorization: OAuth <token>`)
- `cloudflare-kv` (`Authorization: <api_token>`)
- `dropbox` (`Authorization: Bearer <access_token>`)
- `gdrive` (`Authorization: Bearer <access_token>`)
- `swift` (`X-Auth-Token: <token>`)
Deliverable:
- Minimal service crates (or a shared helper in `reqsign-core`) that expose
config/credential types and implement request signing.
### B. Login/exchange token + caching
Target services:
- `b2` (Basic auth -> authorization token, valid up to 24h)
- `seafile` (fetch auth token, then `Authorization: Token <token>`, plus
repo id discovery)
- `koofr` (exchange email/password for `Token token=<...>`)
Deliverable:
- Service-specific `ProvideCredential` implementation with
caching/expiration where applicable.
### C. OAuth2 refresh token flow
Target services:
- `aliyun-drive` (refresh_token -> access_token, refresh_token update,
expiration tracking)
- `onedrive` (OAuth2 refresh endpoint)
Deliverable:
- Service-specific providers using `reqsign-core` contexts (`HttpSend`,
`FileRead`, env) and returning typed credentials.
### D. Request signature (HMAC)
Target services:
- `upyun` (HMAC-SHA1 signature and required headers)
Deliverable:
- Service crate implementing the signing algorithm and test vectors.
## Acceptance criteria
- Each listed service has a reqsign-backed credential loader/provider (where
applicable) and signer.
- OpenDAL service crates can delete local signer/token-refresh code and
depend on reqsign instead.
- Unit tests cover:
- canonical header format
- token refresh/caching behavior
- signature correctness (for HMAC-based services)
## Tracking checklist
- [ ] `reqsign-upyun`
- [ ] `reqsign-b2`
- [ ] `reqsign-seafile`
- [ ] `reqsign-koofr`
- [ ] `reqsign-aliyun-drive`
- [ ] `reqsign-onedrive`
- [ ] `reqsign-dropbox`
- [ ] `reqsign-gdrive`
- [ ] `reqsign-github`
- [ ] `reqsign-cloudflare-kv`
- [ ] `reqsign-vercel-blob`
- [ ] `reqsign-yandex-disk`
- [ ] `reqsign-swift`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
