raphaelsolarski opened a new pull request, #17148: URL: https://github.com/apache/iceberg/pull/17148
#### Description This PR is a proposition of filtering out `Authorization` header from headers inherited from parent session for token call in client credentials flow. To not break any existing use case scenario the filtering is hidden behind `skip-inherited-auth-header-in-token-request` feature flag passed as config property to `RESTSessionCatalog`. The motivation of this change is that some OAuth2 authorization servers (in particular Okta) rejects requests for token which contains both `Authorization: Bearer abcs` header and client_id+client_secret key pair (please see example how to check it directly on Okta). #### Reproduction of behavior directly on Okta ```bash CLIENT_ID="<CLIENT_ID>" CLIENT_SECRET="<CLIENT_SECRET>" OKTA_TOKEN_URL="<https://...okta.com/oauth2/.../v1/token>" OKTA_SCOPE="datacatalog" # successful request ACCESS_TOKEN=$(curl -X POST "$OKTA_TOKEN_URL" \ --header "Accept: application/json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --header "X-Client-Version: Apache Iceberg 1.10.1-e.1 (commit 57448704eb9967abee52da13672326592e9ebe25)" \ --data "grant_type=client_credentials" \ --data "client_id=$CLIENT_ID" \ --data "client_secret=$CLIENT_SECRET" \ --data "scope=$OKTA_SCOPE" | jq -r '.access_token') # results: 200 + {"token_type":"Bearer","expires_in":3600,"access_token":"...","scope":"datacatalog"} # subsequent request which inherit Authorization header from session curl -X POST "$OKTA_TOKEN_URL" \ --header "Authorization: Bearer $ACCESS_TOKEN" \ --header "Accept: application/json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --header "X-Client-Version: Apache Iceberg 1.10.1-e.1 (commit 57448704eb9967abee52da13672326592e9ebe25)" \ --data "grant_type=client_credentials" \ --data "client_id=$CLIENT_ID" \ --data "client_secret=$CLIENT_SECRET" \ --data "scope=$OKTA_SCOPE" # results: # 401 + {"errorCode":"invalid_client","errorSummary":"No client credentials found.","errorLink":"invalid_client","errorId":"...","errorCauses":[]} ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
