Core: Do not pass parent Bearer header in client_credentials token request#16056
Open
bharos wants to merge 1 commit intoapache:mainfrom
Open
Core: Do not pass parent Bearer header in client_credentials token request#16056bharos wants to merge 1 commit intoapache:mainfrom
bharos wants to merge 1 commit intoapache:mainfrom
Conversation
Contributor
Author
|
cc @adutra PTAL at this auth related PR, thanks! |
bharos
force-pushed
the
fix/oauth2-credential-bearer-leak
branch
from
83406e6 to
a1d24f3
Compare
…quest fromCredential() was passing parent.headers() (containing the parent session's Bearer token) to fetchToken when making a client_credentials grant request. This violates RFC 6749 Section 2.3 which states the client MUST NOT use more than one authentication method per request. IDPs like CAS and AWS Cognito reject the request due to the extra Authorization header, while lenient IDPs silently ignore it. All other fetchToken call sites correctly pass Map.of(). This change aligns fromCredential() with that pattern. Closes apache#13337
bharos
force-pushed
the
fix/oauth2-credential-bearer-leak
branch
from
a1d24f3 to
eb2f382
Compare
Contributor
|
This PR likely fixes one of the biggest client authentication issues in the current auth manager. I briefly alluded to it in the auth manager v2 design doc: But, it's a behavioral regression. I'm not sure it's safe to introduce it without placing it behind a feature flag. \cc @nastra |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fromCredential() was passing parent.headers() (containing the parent session's Bearer token) to fetchToken when making a client_credentials grant request. This violates RFC 6749 Section 2.3 which states the client MUST NOT use more than one authentication method per request.
IDPs like CAS and AWS Cognito reject the request due to the extra Authorization header, while lenient IDPs silently ignore it.
All other fetchToken call sites correctly pass Map.of(). This change aligns fromCredential() with that pattern.
Closes #13337