-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Core: Assume issued_token_type is access_token to fully comply with RFC 6749 #10314
Conversation
@@ -763,11 +763,19 @@ private static AuthSession fromTokenResponse( | |||
long startTimeMillis, | |||
AuthSession parent, | |||
String credential) { | |||
// issued token type is not present in every OAuth2 response: | |||
// assume type is access token if none provided. | |||
// See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@adutra do you maybe know if Keycloak fully supports RFC 8693? The token exchange follows https://www.rfc-editor.org/rfc/rfc8693#name-successful-response, where issued_token_type
is required
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found keycloak/keycloak#26502, which states unfortunately that Keycloak deviates from the standard.
I can see that we might add the null check as a workaround for such cases where the auth server doesn't send back an issued_token_type
but I'd like to first see what other people in the community think about this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, Keycloak does not fully implement it. Quoting from their Securing Applications and Services Guide:
Token exchange in Keycloak is a very loose implementation of the OAuth Token Exchange specification at the IETF. We have extended it a little, ignored some of it, and loosely interpreted other parts of the specification. It is a simple grant type invocation on a realm’s OpenID Connect token endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But the problem here is wider: issued_token_type
is only defined for the token exchange flow (RFC 8693). This field does not exist for standard flows from RFC 6749. So the following scenario can happen even with fully-compliant servers:
- client uses
client_credentials
to authenticate initially; - server sends a successful response similar to this one; note that it does not contain
issued_token_type
, which is normal since it's not defined for this flow. - client attempts to refresh the token using the token exchange flow;
- client throws IAE because
subjectTokenType
is null.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nastra also see this comment which gives some context on why we have the problem today: #4771 (comment)
@@ -254,7 +254,6 @@ private static OAuthTokenResponse handleOAuthRequest(Object body) { | |||
case "client_credentials": | |||
return OAuthTokenResponse.builder() | |||
.withToken("client-credentials-token:sub=" + request.get("client_id")) | |||
.withIssuedTokenType("urn:ietf:params:oauth:token-type:access_token") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would probably leave this as-is, since issued_token_type
is required according to RFC 8693
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't agree: this flow is not governed by RFC 8693, this is RFC 6749 section 4.4.
Hi @nastra any updates on this PR? FYI here is an example of error from a Spark SQL session connected to REST catalog + external auth server:
|
@adutra I'm OOO this week, maybe @amogh-jahagirdar gets a chance to look at this PR |
@nastra or @amogh-jahagirdar is it possible for you to have a another look here please? Thanks 🙏 |
The REST client wrongly assumes that the `issued_token_type` field is present in all OAuth responses, but that isn't true: e.g. in the `client_credentials` flow, this field is undefined. See RFC 6749, section 4.4.3: https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3 This causes the client to crash when creating a tokens exchange request, since the issued token type becomes the request's subject token type, which is mandatory. This has been verified against a Keycloak 24.0 server. This change fixes this issue by assuming that the issued token type is an access token, if the response did not specify any token type. This change also fixes `RESTCatalogAdapter`: it was incorrectly including the `issued_token_type` field in `client_credentials` responses, thus masking many test failures, e.g. in `testCatalogTokenRefresh`.
@nastra @amogh-jahagirdar This PR has been rebased. Could I get a review please? 🙏 |
@adutra IMO https://github.com/apache/iceberg/pull/10314/files#r1601220154 still needs to be reverted. It's ok to add a workaround for Keycloak but I don't see a good enough reason to adjust what the server (aka |
@nastra I'm sorry but I really don't agree. This has nothing to do with Keycloak. This is not a workaround. This has to do with complying with the OAuth 2.0 spec. Have you read the 5.1 section of RFC 6749? Quoting here so that we are on the same page:
As you can see there is no A client that breaks because that field is missing is not a OAuth2-compliant client. By returning an unspecified field for a |
@adutra I've read RFC 6749 but as I mentioned in #10314 (comment) I'm assuming that the token exchange is following RFC 8693 (and my assumption can be wrong). It would be good to get confirmation on that though. |
Sure, but RFC 8693 is not applicable here. All depends on the grant type being used. If the grant type is But if the grant type is |
@rdblue since you originally authored this part (#4771 (comment)) would you mind having a look as well? Thank you! |
@nastra Alex is 100% right. I do not understand why it takes so long to review this fix for an OAuth spec-compliance. |
I think the application of extensions referenced in RFC 8693 are a little ambiguous due to the following:
I believe that the intent includes that a client credential exchange could return any of the enumerated token types defined in section 3 and applies. I don't think it's explicitly clear either way, but I would interpret it as the latter. Either way, I don't think it's a huge issue to default to ensure |
@nastra requested to revert @adutra 's fix for the client-credentials flow, only RFC 6749 applies here. This part of the code has nothing to do with RFC 8693 (token-exchange). The request to revert is IMO not justified, because the flow in question does not specify it. |
RFC 8693 builds on top of RFC 6749, but does not modify any of its structs. And how could it be otherwise? An RFC cannot modify another one's structs without officially superseding it. Imho it is wrong to read section 2.2.1 of RFC 8693 as a general rewrite of RFC 6749 section 5.1, valid for all grants. The correct reading is: section 2.2.1 expands section 5.1 by adding extra context, in the scope of a token exchange grant only. And anyways, that's how all public OAuth 2.0 servers interpret it: none of them include the field TLDR is: if you want Iceberg REST to be interoperable with any public OAuth 2.0 server, this PR needs to be in. |
I'm not suggesting that this is a general rewrite, but was more interpreting that RFC 8693 as an extension that can apply to any access_token grant type response.
I think this is the best argument and I agree it makes any argument for
Maybe you misinterpreted my message, but I actually support adding this. I couldn't find any examples and I also understand that RFC 8693 isn't widely adopted, so we may run into a number of issues with existing implementations out there. |
core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Eduard Tudenhoefner <etudenhoefner@gmail.com>
core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java
Outdated
Show resolved
Hide resolved
Thank you to all involved! I'm very glad that we could reach a consensus here 🙏 |
The REST client wrongly assumes that the
issued_token_type
field is present in all OAuth responses, but that isn't true: e.g. in theclient_credentials
flow, this field is undefined. See RFC 6749, section 4.4.3:https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3
This causes the client to crash when creating a tokens exchange request, since the issued token type becomes the request's subject token type, which is mandatory.
This has been verified against a Keycloak 24.0 server.
This change fixes this issue by assuming that the issued token type is an access token, if the response did not specify any token type.
This change also fixes
RESTCatalogAdapter
: it was incorrectly including theissued_token_type
field inclient_credentials
responses, thus masking many test failures, e.g. intestCatalogTokenRefresh
.