[jira] [Commented] (HADOOP-18510) Azure RefreshTokenBasedTokenProvider is only supporting public client

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-18510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17625567#comment-17625567
 ] 

ASF GitHub Bot commented on HADOOP-18510:
-----------------------------------------

qcastel commented on PR #5082:
URL: https://github.com/apache/hadoop/pull/5082#issuecomment-1294801336

   @ashutoshcipher I had a look at creating UT and it seems that there isn't 
any test yet covering the class impacted by this fix.
   
   Mocking is also made difficult by the HTTP request made behind. Perhaps you 
got a HTTP mocking framework already used in this repo that I could use? 
Hoverfly for example?
   
   Concerning the IT, looking at the XML to connect to the blob storage, they 
all uses account access keys. As the fix is for connecting with OAuth2, that 
won't be cover by the IT for sure.
   
   Kind of feel that currently, all your coverage is missing testing the OAuth2 
layer of Azure.
   
   Would someone of your team could first write a test that cover the existing 
code? This way adding a test in this PR should be quite straight forward.
   




> Azure RefreshTokenBasedTokenProvider is only supporting public client
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-18510
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18510
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/azure
>    Affects Versions: 3.3.4
>            Reporter: Quentin Castel
>            Priority: Major
>              Labels: pull-request-available, security
>
> The Azure RefreshTokenBasedTokenProvider is assuming the client is public, 
> meaning it's not exchanging the refresh token to an access token with the 
> client secret.
>  
> This limitation is not really justify and the RefreshTokenBasedTokenProvider 
> should use the client secret if present.
>  
> From my understanding, there is no particular reason to think that hadoop is 
> not able to store secrets securely, especially as I see the client credential 
> flow, which require a confidential client, is supported by the library.
>  
> The fix is to simply inject the client secret in the request, using client 
> basic auth method or client Post auth method, when the client secret is 
> present.
>  
> https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/RefreshTokenBasedTokenProvider.java#L61



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org