Re: [PR] Update DefaultOAuth2ApiService to support multiple token types and client secret without id [polaris]

Wed, 05 Feb 2025 19:56:54 -0800 


dimas-b commented on code in PR #952:
URL: https://github.com/apache/polaris/pull/952#discussion_r1944060199


##########
service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java:
##########
@@ -75,43 +74,39 @@ public Response getToken(
     if (!tokenBroker.supportsRequestedTokenType(requestedTokenType)) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
     }
-    if (authHeader == null && clientId == null) {
+    if (authHeader == null && clientSecret == null) {
       return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
     }
-    if (authHeader != null && clientId == null && authHeader.startsWith("Basic 
")) {
+    // token exchange with client id and client secret means the client has 
previously
+    // attempted to refresh an access token, but refreshing was not supported 
by the token broker.
+    // Accept the client id and secret and treat it as a new token request
+    if (authHeader != null && clientSecret == null && 
authHeader.startsWith("Basic ")) {
       String credentials = new 
String(Base64.decodeBase64(authHeader.substring(6)), UTF_8);
-      if (!credentials.contains(":")) {
-        return 
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
-      }
       LOGGER.debug("Found credentials in auth header - treating as 
client_credentials");
       String[] parts = credentials.split(":", 2);
-      clientId = parts[0];
-      clientSecret = parts[1];
+      if (parts.length == 2) {
+        clientId = parts[0];
+        clientSecret = parts[1];
+      } else if (parts.length == 1) {
+        clientSecret = parts[0];
+      } else {
+        LOGGER.debug("Don't know how to parse Basic auth header");
+        
OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
+      }
+    }
+    TokenResponse tokenResponse;
+    if (subjectToken != null) {
+      if (!tokenBroker.supportsRequestedTokenType(subjectTokenType)) {

Review Comment:
   IMHO, it is best to delegate all "supports" checks to the `TokenBroker` 
implementation.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to