You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Quentin Castel (Jira)" <ji...@apache.org> on 2022/10/27 08:08:00 UTC

[jira] [Created] (HADOOP-18510) Azure RefreshTokenBasedTokenProvider is only supporting public client

Quentin Castel created HADOOP-18510:
---------------------------------------

             Summary: Azure RefreshTokenBasedTokenProvider is only supporting public client
                 Key: HADOOP-18510
                 URL: https://issues.apache.org/jira/browse/HADOOP-18510
             Project: Hadoop Common
          Issue Type: Bug
          Components: fs/azure
    Affects Versions: 3.3.4
            Reporter: Quentin Castel


The Azure RefreshTokenBasedTokenProvider is assuming the client is public, meaning it's not exchanging the refresh token to an access token with the client secret.

 

This limitation is not really justify and the RefreshTokenBasedTokenProvider should use the client secret if present.

 

From my understanding, there is no particular reason to think that hadoop is not able to store secrets securely, especially as I see the client credential flow, which require a confidential client, is supported by the library.

 

The fix is to simply inject the client secret in the request, using client basic auth method or client Post auth method, when the client secret is present.

 

https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/RefreshTokenBasedTokenProvider.java#L61



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org