[HADOOP-18510] Azure RefreshTokenBasedTokenProvider is only supporting public client - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.3.4
Fix Version/s: None
Component/s: fs/azure
Labels:
- pull-request-available
- security

Description

The Azure RefreshTokenBasedTokenProvider is assuming the client is public, meaning it's not exchanging the refresh token to an access token with the client secret.

This limitation is not really justify and the RefreshTokenBasedTokenProvider should use the client secret if present.

From my understanding, there is no particular reason to think that hadoop is not able to store secrets securely, especially as I see the client credential flow, which require a confidential client, is supported by the library.

The fix is to simply inject the client secret in the request, using client basic auth method or client Post auth method, when the client secret is present.

https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/RefreshTokenBasedTokenProvider.java#L61

Attachments

Issue Links

links to

GitHub Pull Request #5082

Activity

People

Assignee:: Unassigned

Reporter:: Quentin Castel

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 27/Oct/22 08:07

Updated:: 19/Dec/23 08:04