Skip to content

Core: Add feature flag to skip inherited Authorization header in token request#17148

Open
raphaelsolarski wants to merge 1 commit into
apache:mainfrom
raphaelsolarski:skip-inherited-auth-header-in-token-request
Open

Core: Add feature flag to skip inherited Authorization header in token request#17148
raphaelsolarski wants to merge 1 commit into
apache:mainfrom
raphaelsolarski:skip-inherited-auth-header-in-token-request

Conversation

@raphaelsolarski

@raphaelsolarski raphaelsolarski commented Jul 9, 2026

Copy link
Copy Markdown

Description

When RESTSessionCatalog is configured with a client_credentials,
initSession() exchanges that credential for token, which becomes the Authorization: Bearer ... header on the catalog session.
If a SessionContext also carries a credential (the pattern used by Trino when iceberg.rest-catalog.session=NONE) the first catalog operation triggers contextualSession() -> fromCredential(), which inherits the catalog parent session headers and forwards existing Authorization header alongside client_id+client_secret in body to the authorization server.

Some OAuth2 authorization servers (in particular Okta) rejects such requests for token which contains both Authorization: Bearer abcs header and client_id+client_secret key pair (please see example how to check it directly on Okta).

This PR is a proposition of filtering out Authorization header from headers inherited from parent session for token call in client credentials flow.
To not break any existing use case scenario the filtering is hidden behind skip-inherited-auth-header-in-token-request feature flag passed as config property to RESTSessionCatalog.

Reproduction of behavior directly on Okta

CLIENT_ID="<CLIENT_ID>"
CLIENT_SECRET="<CLIENT_SECRET>"
OKTA_TOKEN_URL="<https://...okta.com/oauth2/.../v1/token>"
OKTA_SCOPE="datacatalog"

# successful request
ACCESS_TOKEN=$(curl -X POST "$OKTA_TOKEN_URL" \
--header "Accept: application/json" \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "X-Client-Version: Apache Iceberg 1.10.1-e.1 (commit 57448704eb9967abee52da13672326592e9ebe25)" \
--data "grant_type=client_credentials" \
--data "client_id=$CLIENT_ID" \
--data "client_secret=$CLIENT_SECRET" \
--data "scope=$OKTA_SCOPE" | jq -r '.access_token')
# results: 200 + {"token_type":"Bearer","expires_in":3600,"access_token":"...","scope":"datacatalog"}

# subsequent request which inherit Authorization header from session
curl -X POST "$OKTA_TOKEN_URL" \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--header "Accept: application/json" \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "X-Client-Version: Apache Iceberg 1.10.1-e.1 (commit 57448704eb9967abee52da13672326592e9ebe25)" \
--data "grant_type=client_credentials" \
--data "client_id=$CLIENT_ID" \
--data "client_secret=$CLIENT_SECRET" \
--data "scope=$OKTA_SCOPE"

# results:
# 401 + {"errorCode":"invalid_client","errorSummary":"No client credentials found.","errorLink":"invalid_client","errorId":"...","errorCauses":[]}

@github-actions github-actions Bot added the core label Jul 9, 2026
@raphaelsolarski raphaelsolarski force-pushed the skip-inherited-auth-header-in-token-request branch 2 times, most recently from e728163 to f3fc993 Compare July 10, 2026 12:31
@raphaelsolarski raphaelsolarski marked this pull request as ready for review July 10, 2026 19:01
long startTimeMillis = System.currentTimeMillis();
Map<String, String> headers =
parent.config().skipInheritedAuthHeaderInTokenRequest()
? Maps.filterKeys(parent.headers(), key -> !AUTHORIZATION_HEADER.equals(key))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: We could use equalsIgnoreCase just in case. Future code could add Authorization header with different casing.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point, fixed

OAuthTokenResponse response =
exchangeToken(
client,
parent.headers(),

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line also passes parent.headers() directly. Is it an oversight or intentional?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now it is intentional - in fromCredential it is obvious that this header should not be passed. But in case of token exchange I'm not sure because there are multiple scenarios how token exchange request can be authenticated. I need a bit of time to reason about it.

* from rejecting the token request due to using multiple authentication methods.
*/
public static final String SKIP_INHERITED_AUTH_HEADER_IN_TOKEN_REQUEST =
"skip-inherited-auth-header-in-token-request";

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add this property to OAuth2 auth properties in https://github.com/apache/iceberg/blob/main/docs/docs/catalog-properties.md?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok. Added.

@raphaelsolarski raphaelsolarski force-pushed the skip-inherited-auth-header-in-token-request branch from f3fc993 to cd91661 Compare July 13, 2026 18:45
@github-actions github-actions Bot added the docs label Jul 13, 2026
@raphaelsolarski raphaelsolarski force-pushed the skip-inherited-auth-header-in-token-request branch from cd91661 to fdfce7a Compare July 13, 2026 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants