From ef4a7ab56b0378599c9fb95df37e7f2bf231d32c Mon Sep 17 00:00:00 2001 From: Szymon Homa Date: Tue, 8 Nov 2022 12:55:07 +0100 Subject: [PATCH] Add failover to accessToken for OAuth2 with refresh token Right now when we can't deserialize tokens, that we expect to be encrypted we are failing authentication and send challenges to clients. With this change we will allow for further processing, in case when the format of the token is not parsable - meaning that it's not an JWEToken, but might be a valid OAuth2 token that could be handled by further processing. This case occurs for cases when a tool sends valid accessToken obtained outside from Trino, but has configured Oauth2 with refresh tokens enabled, for other clients that benefit from that flow directly --- .../server/security/oauth2/JweTokenSerializer.java | 2 +- .../security/oauth2/TestJweTokenSerializer.java | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/core/trino-main/src/main/java/io/trino/server/security/oauth2/JweTokenSerializer.java b/core/trino-main/src/main/java/io/trino/server/security/oauth2/JweTokenSerializer.java index 4a981e8256a1..68469303c613 100644 --- a/core/trino-main/src/main/java/io/trino/server/security/oauth2/JweTokenSerializer.java +++ b/core/trino-main/src/main/java/io/trino/server/security/oauth2/JweTokenSerializer.java @@ -109,7 +109,7 @@ public TokenPair deserialize(String token) claims.get(REFRESH_TOKEN_KEY, String.class)); } catch (ParseException ex) { - throw new IllegalArgumentException("Malformed jwt token", ex); + return TokenPair.accessToken(token); } catch (JOSEException ex) { throw new IllegalArgumentException("Decryption failed", ex); diff --git a/core/trino-main/src/test/java/io/trino/server/security/oauth2/TestJweTokenSerializer.java b/core/trino-main/src/test/java/io/trino/server/security/oauth2/TestJweTokenSerializer.java index 6d3c18ab576e..489891b983ff 100644 --- a/core/trino-main/src/test/java/io/trino/server/security/oauth2/TestJweTokenSerializer.java +++ b/core/trino-main/src/test/java/io/trino/server/security/oauth2/TestJweTokenSerializer.java @@ -91,6 +91,19 @@ public void testTokenDeserializationAfterTimeoutAndExpirationExtension() .isExactlyInstanceOf(ExpiredJwtException.class); } + @Test + public void testTokenDeserializationWhenNonJWETokenIsPassed() + throws Exception + { + JweTokenSerializer serializer = tokenSerializer(new TestingClock(), succinctDuration(12, MINUTES)); + String nonJWEToken = "non_jwe_token"; + + TokenPair tokenPair = serializer.deserialize(nonJWEToken); + + assertThat(tokenPair.getAccessToken()).isEqualTo(nonJWEToken); + assertThat(tokenPair.getRefreshToken()).isEmpty(); + } + private JweTokenSerializer tokenSerializer(Clock clock, Duration tokenExpiration) throws GeneralSecurityException, KeyLengthException {