You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by GitBox <gi...@apache.org> on 2022/10/27 08:35:08 UTC

[GitHub] [hadoop] qcastel commented on a diff in pull request #5082: HADOOP-18510. Support confidential client in Azure refresh token gran…

qcastel commented on code in PR #5082:
URL: https://github.com/apache/hadoop/pull/5082#discussion_r1006566902


##########
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/AzureADAuthenticator.java:
##########
@@ -168,12 +168,14 @@ public static AzureADToken getTokenFromMsi(final String authEndpoint,
    */
   public static AzureADToken getTokenUsingRefreshToken(
       final String authEndpoint, final String clientId,
-      final String refreshToken) throws IOException {
+      final String clientSecret, final String refreshToken) throws IOException {
     QueryParams qp = new QueryParams();
     qp.add("grant_type", "refresh_token");
     qp.add("refresh_token", refreshToken);
-    if (clientId != null) {

Review Comment:
   Nope, the client id is not optional in the refresh token grant flow. Thats a miss interpretation on your part of the spec.
   
   I think you have been miss leading by how it's written in the spec in section 6
   https://www.rfc-editor.org/rfc/rfc6749#section-6
   
   here it doesn't say in that section that the client id is required, just because there is different way to inject the client credential into the request (ie POST or BASIC, even client assertion).
   But you see in the example that the authorisation header is setup and this contains the client ID in there.
   
   For confidential client, its quite obvious that the client ID is required. For public client (which you want to support too), it's also required, as said in:
   
   ```
   authenticate the client if client authentication is included and
         ensure that the refresh token was issued to the authenticated
         client, and
   ```
   
   Your code currrently only support one type of auth method, the POST one.
   You then can assume that in this line, the client ID is required.
   
   You can revisit injecting it in the body of the request if one day you decide to support the auth method BASIC as well. Would just mean the client ID is in the request but in a header instead.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org