Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add failover to accessToken for OAuth2 with refresh token #14949

Merged
merged 1 commit into from
Nov 10, 2022

Conversation

s2lomon
Copy link
Member

@s2lomon s2lomon commented Nov 8, 2022

Description

Right now when we can't deserialize tokens, that we expect to be encrypted we are failing authentication and send challenges to clients. With this change we will allow for further processing, in case when the format of the token is not parsable

  • meaning that it's not an JWEToken, but might be a valid OAuth2 token that could be handled by further processing.

This case occurs for cases when a tool sends valid accessToken obtained outside from Trino, but has configured Oauth2 with refresh tokens enabled, for other clients that benefit from that flow directly

Non-technical explanation

This allows people to send valid accessTokens through our clients, without the need to configure separate jwt authentication, which in terms allow for a single oauth2 implementation to support both direct and passthrough usages.

Release notes

( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:

# Section
* Fix issue with plain accessToken passthrough when only oauth2 with refresh-token is configured.

Right now when we can't deserialize tokens, that we expect to be encrypted
we are failing authentication and send challenges to clients. With this change
we will allow for further processing, in case when the format of the token is not parsable
- meaning that it's not an JWEToken, but might be a valid OAuth2 token that could be
handled by further processing.

This case occurs for cases when a tool sends valid accessToken
obtained outside from Trino, but has configured Oauth2 with refresh tokens enabled, for other
clients that benefit from that flow directly
@kokosing kokosing merged commit 70be36d into trinodb:master Nov 10, 2022
@github-actions github-actions bot added this to the 403 milestone Nov 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

None yet

3 participants