[jira] [Updated] (HADOOP-18510) Azure RefreshTokenBasedTokenProvider is only supporting public client

["ASF GitHub Bot (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/HADOOP-18510?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

ASF GitHub Bot updated HADOOP-18510:
------------------------------------
    Labels: pull-request-available security  (was: security)

> Azure RefreshTokenBasedTokenProvider is only supporting public client
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-18510
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18510
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/azure
>    Affects Versions: 3.3.4
>            Reporter: Quentin Castel
>            Priority: Major
>              Labels: pull-request-available, security
>
> The Azure RefreshTokenBasedTokenProvider is assuming the client is public, meaning it's not exchanging the refresh token to an access token with the client secret.
>  
> This limitation is not really justify and the RefreshTokenBasedTokenProvider should use the client secret if present.
>  
> From my understanding, there is no particular reason to think that hadoop is not able to store secrets securely, especially as I see the client credential flow, which require a confidential client, is supported by the library.
>  
> The fix is to simply inject the client secret in the request, using client basic auth method or client Post auth method, when the client secret is present.
>  
> https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/RefreshTokenBasedTokenProvider.java#L61



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org