Skip to content

Core: Add feature flag to skip inherited Authorization header in token request#17148

Draft
raphaelsolarski wants to merge 1 commit into
apache:mainfrom
raphaelsolarski:skip-inherited-auth-header-in-token-request
Draft

Core: Add feature flag to skip inherited Authorization header in token request#17148
raphaelsolarski wants to merge 1 commit into
apache:mainfrom
raphaelsolarski:skip-inherited-auth-header-in-token-request

Conversation

@raphaelsolarski

Copy link
Copy Markdown

Description

This PR is a proposition of filtering out Authorization header from headers inherited from parent session for token call in client credentials flow.
To not break any existing use case scenario the filtering is hidden behind skip-inherited-auth-header-in-token-request feature flag passed as config property to RESTSessionCatalog.

The motivation of this change is that some OAuth2 authorization servers (in particular Okta) rejects requests for token which contains both Authorization: Bearer abcs header and client_id+client_secret key pair (please see example how to check it directly on Okta).

Reproduction of behavior directly on Okta

CLIENT_ID="<CLIENT_ID>"
CLIENT_SECRET="<CLIENT_SECRET>"
OKTA_TOKEN_URL="<https://...okta.com/oauth2/.../v1/token>"
OKTA_SCOPE="datacatalog"

# successful request
ACCESS_TOKEN=$(curl -X POST "$OKTA_TOKEN_URL" \
--header "Accept: application/json" \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "X-Client-Version: Apache Iceberg 1.10.1-e.1 (commit 57448704eb9967abee52da13672326592e9ebe25)" \
--data "grant_type=client_credentials" \
--data "client_id=$CLIENT_ID" \
--data "client_secret=$CLIENT_SECRET" \
--data "scope=$OKTA_SCOPE" | jq -r '.access_token')
# results: 200 + {"token_type":"Bearer","expires_in":3600,"access_token":"...","scope":"datacatalog"}

# subsequent request which inherit Authorization header from session
curl -X POST "$OKTA_TOKEN_URL" \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--header "Accept: application/json" \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "X-Client-Version: Apache Iceberg 1.10.1-e.1 (commit 57448704eb9967abee52da13672326592e9ebe25)" \
--data "grant_type=client_credentials" \
--data "client_id=$CLIENT_ID" \
--data "client_secret=$CLIENT_SECRET" \
--data "scope=$OKTA_SCOPE"

# results:
# 401 + {"errorCode":"invalid_client","errorSummary":"No client credentials found.","errorLink":"invalid_client","errorId":"...","errorCauses":[]}

@github-actions github-actions Bot added the core label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant