The ServerAuthHandler and ClientAuthHandler interfaces are for an older authentication mechanism for Flight. I don’t think most servers use this now. It has the drawback of being stateful authentication whereas Flight is designed to be a stateless protocol.
The Flight SQL JDBC and ODBC drivers support only header-based authentication. Get Outlook for Mac <https://aka.ms/GetOutlookForMac> From: prochac (via GitHub) <[email protected]> Date: Wednesday, September 24, 2025 at 3:49 AM To: [email protected] <[email protected]> Subject: Re: [D] Auth for Flight RPC/SQL [arrow-go] GitHub user prochac edited a discussion: Auth for Flight RPC/SQL Hi, I'm kinda having a confusion how authentication is intended for these two. As obvious, I'm using Go and Arrow Go module. I'm implementing Arrow Flight SQL server, and need to use some auth mechanism. So far, I'm using [flight.BasicAuthValidator](https://pkg.go.dev/github.com/apache/arrow-go/[email protected]/arrow/flight#BasicAuthValidator) with combination with [flight.CreateServerBasicAuthMiddleware](https://pkg.go.dev/github.com/apache/arrow-go/v18/arrow/flight#CreateServerBasicAuthMiddleware) But I also found [flight.ServerAuthHandler](https://pkg.go.dev/github.com/apache/arrow-go/v18/arrow/flight#ServerAuthHandler) that can be set to embedded [flight.BaseFlightServer](https://pkg.go.dev/github.com/apache/arrow-go/v18/arrow/flight#BaseFlightServer), and then be used by `flight.Server` that must be exclusively created by [flight.NewServerWithMiddleware](https://pkg.go.dev/github.com/apache/arrow-go/v18/arrow/flight#NewServerWithMiddleware), as the interceptors aren't otherwise available. If I'm correct, the authentication is a matter of the [Flight RPC layer](https://arrow.apache.org/docs/format/Flight.html#authentication). Therefore, it confuses me, that the first method uses `Basic` `"authorization"` for `/Handshake`, and then it's being transformed to `Bearer` token, returned as `"authorization"` Trailer from server, and client switches the basic `"authorization"` to bearer on its side. Meanwhile, the `ServerAuthHandler` uses `"auth-token-bin"` key for metadata, and reads the "login" credentials from the [flight.HandshakeRequest](https://pkg.go.dev/github.com/apache/arrow-go/v18/arrow/flight#HandshakeRequest) payload into [flight.BasicAuth](https://pkg.go.dev/github.com/apache/arrow-go/v18/arrow/flight#BasicAuth), and returns the future `"auth-token-bin"` as [flight.HandshakeResponse](https://pkg.go.dev/github.com/apache/arrow-go/v18/arrow/flight#HandshakeResponse) Payload So the `BasicAuth` and `BasicAuthValidator` aren't even used together. What is the unified Auth mechanism for Flight RPC? Does Flight SQL use different? By my experience, all clients, like [Flight SQL JDBC driver](https://arrow.apache.org/docs/java/flight_sql_jdbc_driver.html), uses only the first method, using `"authorization"` header and trailer. GitHub link: https://github.com/apache/arrow-go/discussions/519 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
