Core: Add feature flag to skip inherited Authorization header in token request#17148
Conversation
e728163 to
f3fc993
Compare
| long startTimeMillis = System.currentTimeMillis(); | ||
| Map<String, String> headers = | ||
| parent.config().skipInheritedAuthHeaderInTokenRequest() | ||
| ? Maps.filterKeys(parent.headers(), key -> !AUTHORIZATION_HEADER.equals(key)) |
There was a problem hiding this comment.
nit: We could use equalsIgnoreCase just in case. Future code could add Authorization header with different casing.
| OAuthTokenResponse response = | ||
| exchangeToken( | ||
| client, | ||
| parent.headers(), |
There was a problem hiding this comment.
This line also passes parent.headers() directly. Is it an oversight or intentional?
There was a problem hiding this comment.
For now it is intentional - in fromCredential it is obvious that this header should not be passed. But in case of token exchange I'm not sure because there are multiple scenarios how token exchange request can be authenticated. I need a bit of time to reason about it.
| * from rejecting the token request due to using multiple authentication methods. | ||
| */ | ||
| public static final String SKIP_INHERITED_AUTH_HEADER_IN_TOKEN_REQUEST = | ||
| "skip-inherited-auth-header-in-token-request"; |
There was a problem hiding this comment.
Can we add this property to OAuth2 auth properties in https://github.com/apache/iceberg/blob/main/docs/docs/catalog-properties.md?
f3fc993 to
cd91661
Compare
cd91661 to
fdfce7a
Compare
Description
When
RESTSessionCatalogis configured with a client_credentials,initSession() exchanges that credential for token, which becomes the
Authorization: Bearer ...header on the catalog session.If a
SessionContextalso carries a credential (the pattern used by Trino wheniceberg.rest-catalog.session=NONE) the first catalog operation triggerscontextualSession()->fromCredential(), which inherits the catalog parent session headers and forwards existingAuthorizationheader alongsideclient_id+client_secretin body to the authorization server.Some OAuth2 authorization servers (in particular Okta) rejects such requests for token which contains both
Authorization: Bearer abcsheader andclient_id+client_secretkey pair (please see example how to check it directly on Okta).This PR is a proposition of filtering out
Authorizationheader from headers inherited from parent session for token call in client credentials flow.To not break any existing use case scenario the filtering is hidden behind
skip-inherited-auth-header-in-token-requestfeature flag passed as config property toRESTSessionCatalog.Reproduction of behavior directly on Okta