[
https://issues.apache.org/jira/browse/HADOOP-18510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17625583#comment-17625583
]
ASF GitHub Bot commented on HADOOP-18510:
-----------------------------------------
steveloughran commented on PR #5082:
URL: https://github.com/apache/hadoop/pull/5082#issuecomment-1294827205
+ @snvijaya
> Azure RefreshTokenBasedTokenProvider is only supporting public client
> ---------------------------------------------------------------------
>
> Key: HADOOP-18510
> URL: https://issues.apache.org/jira/browse/HADOOP-18510
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/azure
> Affects Versions: 3.3.4
> Reporter: Quentin Castel
> Priority: Major
> Labels: pull-request-available, security
>
> The Azure RefreshTokenBasedTokenProvider is assuming the client is public,
> meaning it's not exchanging the refresh token to an access token with the
> client secret.
>
> This limitation is not really justify and the RefreshTokenBasedTokenProvider
> should use the client secret if present.
>
> From my understanding, there is no particular reason to think that hadoop is
> not able to store secrets securely, especially as I see the client credential
> flow, which require a confidential client, is supported by the library.
>
> The fix is to simply inject the client secret in the request, using client
> basic auth method or client Post auth method, when the client secret is
> present.
>
> https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/RefreshTokenBasedTokenProvider.java#L61
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
