[
https://issues.apache.org/jira/browse/HADOOP-18510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17625611#comment-17625611
]
ASF GitHub Bot commented on HADOOP-18510:
-----------------------------------------
qcastel commented on code in PR #5082:
URL: https://github.com/apache/hadoop/pull/5082#discussion_r1007941508
##########
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/AzureADAuthenticator.java:
##########
@@ -168,12 +168,14 @@ public static AzureADToken getTokenFromMsi(final String
authEndpoint,
*/
public static AzureADToken getTokenUsingRefreshToken(
final String authEndpoint, final String clientId,
- final String refreshToken) throws IOException {
+ final String clientSecret, final String refreshToken) throws IOException
{
QueryParams qp = new QueryParams();
qp.add("grant_type", "refresh_token");
qp.add("refresh_token", refreshToken);
- if (clientId != null) {
Review Comment:
If it's microsoft that wrote this line, then why injecting the client ID if
present? if it works without it...
As the fix is not about this particular line, I will just revert it so we
concentrate on the real issue.
> Azure RefreshTokenBasedTokenProvider is only supporting public client
> ---------------------------------------------------------------------
>
> Key: HADOOP-18510
> URL: https://issues.apache.org/jira/browse/HADOOP-18510
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/azure
> Affects Versions: 3.3.4
> Reporter: Quentin Castel
> Priority: Major
> Labels: pull-request-available, security
>
> The Azure RefreshTokenBasedTokenProvider is assuming the client is public,
> meaning it's not exchanging the refresh token to an access token with the
> client secret.
>
> This limitation is not really justify and the RefreshTokenBasedTokenProvider
> should use the client secret if present.
>
> From my understanding, there is no particular reason to think that hadoop is
> not able to store secrets securely, especially as I see the client credential
> flow, which require a confidential client, is supported by the library.
>
> The fix is to simply inject the client secret in the request, using client
> basic auth method or client Post auth method, when the client secret is
> present.
>
> https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/RefreshTokenBasedTokenProvider.java#L61
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
