Quentin Castel created HADOOP-18510:
---------------------------------------
Summary: Azure RefreshTokenBasedTokenProvider is only supporting
public client
Key: HADOOP-18510
URL: https://issues.apache.org/jira/browse/HADOOP-18510
Project: Hadoop Common
Issue Type: Bug
Components: fs/azure
Affects Versions: 3.3.4
Reporter: Quentin Castel
The Azure RefreshTokenBasedTokenProvider is assuming the client is public,
meaning it's not exchanging the refresh token to an access token with the
client secret.
This limitation is not really justify and the RefreshTokenBasedTokenProvider
should use the client secret if present.
>From my understanding, there is no particular reason to think that hadoop is
>not able to store secrets securely, especially as I see the client credential
>flow, which require a confidential client, is supported by the library.
The fix is to simply inject the client secret in the request, using client
basic auth method or client Post auth method, when the client secret is present.
https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/RefreshTokenBasedTokenProvider.java#L61
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
