Re: [PR] Update DefaultOAuth2ApiService to support multiple token types and client secret without id [polaris]

via GitHub Wed, 05 Feb 2025 19:55:07 -0800


dimas-b commented on code in PR #952:
URL: https://github.com/apache/polaris/pull/952#discussion_r1944036363



##########
service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java:
##########
@@ -75,43 +74,39 @@ public Response getToken(
     if (!tokenBroker.supportsRequestedTokenType(requestedTokenType)) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
     }
-    if (authHeader == null && clientId == null) {
+    if (authHeader == null && clientSecret == null) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
     }
-    if (authHeader != null && clientId == null && authHeader.startsWith("Basic 
")) {
+    // token exchange with client id and client secret means the client has 
previously
+    // attempted to refresh an access token, but refreshing was not supported 
by the token broker.
+    // Accept the client id and secret and treat it as a new token request
+    if (authHeader != null && clientSecret == null && 
authHeader.startsWith("Basic ")) {

Review Comment:
   Sorry, but I'm not sure how this logic aligns with the comment above. "With 
... client secret", but the secret is `null` here?... Would you mind clarifying 
the comment?



##########
service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java:
##########
@@ -75,43 +74,39 @@ public Response getToken(
     if (!tokenBroker.supportsRequestedTokenType(requestedTokenType)) {

Review Comment:
   Why do we check `requestedTokenType`, but not use it?



##########
service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java:
##########
@@ -75,43 +74,39 @@ public Response getToken(
     if (!tokenBroker.supportsRequestedTokenType(requestedTokenType)) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
     }
-    if (authHeader == null && clientId == null) {
+    if (authHeader == null && clientSecret == null) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
     }
-    if (authHeader != null && clientId == null && authHeader.startsWith("Basic 
")) {
+    // token exchange with client id and client secret means the client has 
previously
+    // attempted to refresh an access token, but refreshing was not supported 
by the token broker.
+    // Accept the client id and secret and treat it as a new token request
+    if (authHeader != null && clientSecret == null && 
authHeader.startsWith("Basic ")) {
       String credentials = new 
String(Base64.decodeBase64(authHeader.substring(6)), UTF_8);
-      if (!credentials.contains(":")) {
-        return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
-      }
       LOGGER.debug("Found credentials in auth header - treating as 
client_credentials");
       String[] parts = credentials.split(":", 2);
-      clientId = parts[0];
-      clientSecret = parts[1];
+      if (parts.length == 2) {
+        clientId = parts[0];
+        clientSecret = parts[1];
+      } else if (parts.length == 1) {
+        clientSecret = parts[0];
+      } else {
+        LOGGER.debug("Don't know how to parse Basic auth header");
+        
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
+      }
+    }
+    TokenResponse tokenResponse;
+    if (subjectToken != null) {

Review Comment:
   nit: In this case, client ID/secret appear to be parsed from the request 
data, but not used (not validated)... why bother parsing what we do not use?



##########
service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java:
##########
@@ -75,43 +74,39 @@ public Response getToken(
     if (!tokenBroker.supportsRequestedTokenType(requestedTokenType)) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
     }
-    if (authHeader == null && clientId == null) {
+    if (authHeader == null && clientSecret == null) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
     }
-    if (authHeader != null && clientId == null && authHeader.startsWith("Basic 
")) {
+    // token exchange with client id and client secret means the client has 
previously
+    // attempted to refresh an access token, but refreshing was not supported 
by the token broker.
+    // Accept the client id and secret and treat it as a new token request
+    if (authHeader != null && clientSecret == null && 
authHeader.startsWith("Basic ")) {
       String credentials = new 
String(Base64.decodeBase64(authHeader.substring(6)), UTF_8);
-      if (!credentials.contains(":")) {
-        return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
-      }
       LOGGER.debug("Found credentials in auth header - treating as 
client_credentials");
       String[] parts = credentials.split(":", 2);
-      clientId = parts[0];
-      clientSecret = parts[1];
+      if (parts.length == 2) {
+        clientId = parts[0];
+        clientSecret = parts[1];
+      } else if (parts.length == 1) {
+        clientSecret = parts[0];
+      } else {
+        LOGGER.debug("Don't know how to parse Basic auth header");
+        
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
+      }
+    }
+    TokenResponse tokenResponse;
+    if (subjectToken != null) {
+      if (!tokenBroker.supportsRequestedTokenType(subjectTokenType)) {

Review Comment:
   why do we apply the  "requested token type" check to the "subject token 
type"?



##########
service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java:
##########
@@ -75,43 +74,39 @@ public Response getToken(
     if (!tokenBroker.supportsRequestedTokenType(requestedTokenType)) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
     }
-    if (authHeader == null && clientId == null) {
+    if (authHeader == null && clientSecret == null) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
     }
-    if (authHeader != null && clientId == null && authHeader.startsWith("Basic 
")) {
+    // token exchange with client id and client secret means the client has 
previously
+    // attempted to refresh an access token, but refreshing was not supported 
by the token broker.
+    // Accept the client id and secret and treat it as a new token request
+    if (authHeader != null && clientSecret == null && 
authHeader.startsWith("Basic ")) {

Review Comment:
   I'm fine with this change as it is obviously meant to support existing 
Iceberg REST client, but I do not think this logic follows the client 
credentials flow in RFC [6749](https://www.rfc-editor.org/rfc/rfc6749#page-40). 
Specifically, "client secret" is not supposed to be passed in the POST body 
(from where the initial value for `clientSecret` comes, if I'm not mistaken).



##########
service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java:
##########
@@ -75,43 +74,39 @@ public Response getToken(
     if (!tokenBroker.supportsRequestedTokenType(requestedTokenType)) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
     }
-    if (authHeader == null && clientId == null) {
+    if (authHeader == null && clientSecret == null) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
     }
-    if (authHeader != null && clientId == null && authHeader.startsWith("Basic 
")) {
+    // token exchange with client id and client secret means the client has 
previously
+    // attempted to refresh an access token, but refreshing was not supported 
by the token broker.
+    // Accept the client id and secret and treat it as a new token request
+    if (authHeader != null && clientSecret == null && 
authHeader.startsWith("Basic ")) {
       String credentials = new 
String(Base64.decodeBase64(authHeader.substring(6)), UTF_8);
-      if (!credentials.contains(":")) {
-        return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
-      }
       LOGGER.debug("Found credentials in auth header - treating as 
client_credentials");
       String[] parts = credentials.split(":", 2);
-      clientId = parts[0];
-      clientSecret = parts[1];
+      if (parts.length == 2) {
+        clientId = parts[0];
+        clientSecret = parts[1];
+      } else if (parts.length == 1) {
+        clientSecret = parts[0];
+      } else {
+        LOGGER.debug("Don't know how to parse Basic auth header");
+        
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);

Review Comment:
   should this be returned?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Update DefaultOAuth2ApiService to support multiple token types and client secret without id [polaris]

Reply via email to