raphaelsolarski opened a new pull request, #17148:
URL: https://github.com/apache/iceberg/pull/17148

   #### Description
   This PR is a proposition of filtering out `Authorization` header from 
headers inherited from parent session for token call in client credentials flow.
   To not break any existing use case scenario the filtering is hidden behind 
`skip-inherited-auth-header-in-token-request` feature flag passed as config 
property to `RESTSessionCatalog`.
   
   The motivation of this change is that some OAuth2 authorization servers (in 
particular Okta) rejects requests for token which contains both `Authorization: 
Bearer abcs` header and client_id+client_secret key pair (please see example 
how to check it directly on Okta).
   
   #### Reproduction of behavior directly on Okta
   ```bash
   CLIENT_ID="<CLIENT_ID>"
   CLIENT_SECRET="<CLIENT_SECRET>"
   OKTA_TOKEN_URL="<https://...okta.com/oauth2/.../v1/token>"
   OKTA_SCOPE="datacatalog"
   
   # successful request
   ACCESS_TOKEN=$(curl -X POST "$OKTA_TOKEN_URL" \
   --header "Accept: application/json" \
   --header "Content-Type: application/x-www-form-urlencoded" \
   --header "X-Client-Version: Apache Iceberg 1.10.1-e.1 (commit 
57448704eb9967abee52da13672326592e9ebe25)" \
   --data "grant_type=client_credentials" \
   --data "client_id=$CLIENT_ID" \
   --data "client_secret=$CLIENT_SECRET" \
   --data "scope=$OKTA_SCOPE" | jq -r '.access_token')
   # results: 200 + 
{"token_type":"Bearer","expires_in":3600,"access_token":"...","scope":"datacatalog"}
   
   # subsequent request which inherit Authorization header from session
   curl -X POST "$OKTA_TOKEN_URL" \
   --header "Authorization: Bearer $ACCESS_TOKEN" \
   --header "Accept: application/json" \
   --header "Content-Type: application/x-www-form-urlencoded" \
   --header "X-Client-Version: Apache Iceberg 1.10.1-e.1 (commit 
57448704eb9967abee52da13672326592e9ebe25)" \
   --data "grant_type=client_credentials" \
   --data "client_id=$CLIENT_ID" \
   --data "client_secret=$CLIENT_SECRET" \
   --data "scope=$OKTA_SCOPE"
   
   # results:
   # 401 + {"errorCode":"invalid_client","errorSummary":"No client credentials 
found.","errorLink":"invalid_client","errorId":"...","errorCauses":[]}
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to