[GitHub] [hadoop] qcastel commented on a diff in pull request #5082: HADOOP-18510. Support confidential client in Azure refresh token gran…

Thu, 27 Oct 2022 01:35:14 -0700 


qcastel commented on code in PR #5082:
URL: https://github.com/apache/hadoop/pull/5082#discussion_r1006566902


##########
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/AzureADAuthenticator.java:
##########
@@ -168,12 +168,14 @@ public static AzureADToken getTokenFromMsi(final String 
authEndpoint,
    */
   public static AzureADToken getTokenUsingRefreshToken(
       final String authEndpoint, final String clientId,
-      final String refreshToken) throws IOException {
+      final String clientSecret, final String refreshToken) throws IOException 
{
     QueryParams qp = new QueryParams();
     qp.add("grant_type", "refresh_token");
     qp.add("refresh_token", refreshToken);
-    if (clientId != null) {

Review Comment:
   Nope, the client id is not optional in the refresh token grant flow. Thats a 
miss interpretation on your part of the spec.
   
   I think you have been miss leading by how it's written in the spec in 
section 6
   https://www.rfc-editor.org/rfc/rfc6749#section-6
   
   here it doesn't say in that section that the client id is required, just 
because there is different way to inject the client credential into the request 
(ie POST or BASIC, even client assertion).
   But you see in the example that the authorisation header is setup and this 
contains the client ID in there.
   
   For confidential client, its quite obvious that the client ID is required. 
For public client (which you want to support too), it's also required, as said 
in:
   
   ```
   authenticate the client if client authentication is included and
         ensure that the refresh token was issued to the authenticated
         client, and
   ```
   
   Your code currrently only support one type of auth method, the POST one.
   You then can assume that in this line, the client ID is required.
   
   You can revisit injecting it in the body of the request if one day you 
decide to support the auth method BASIC as well. Would just mean the client ID 
is in the request but in a header instead.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to