-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate to flight auth #3589
Migrate to flight auth #3589
Conversation
auth_type (str): the authentication type string, can be "Anonymous', 'Basic", or any custom-built | ||
authenticator in the server, such as "io.deephaven.authentication.psk.PskAuthenticationHandler", | ||
default is 'Anonymous'. | ||
auth_token (str): the authentication token string. When auth_type is 'Basic', it must be | ||
"user:password"; when auth_type is "Anonymous', it will be ignored; when auth_type is a custom-built | ||
authenticator, it must conform to the specific requirement of the authenticator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@niloc132
At a low level, the API just takes a single string. Are we guaranteed that we will always be able to break auth into these two fields, or are there options that take 3+ fields that would make just doing a single field the right way to go?
Should the Go client be operating this way?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They syntax of the Authorization header is in two parts, the "scheme" and "parameters", see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization#syntax
See also
https://httpwg.org/specs/rfc9110.html#field.authorization
and
https://httpwg.org/specs/rfc9110.html#credentials
Sending it as one value is probably fine, but most use cases will tend to think of it as two, likely a constant for the kind of authentication they are using, then the specific token that identifies them.
if auth_type == "Anonymous": | ||
self._auth_token = auth_type | ||
elif auth_type == "Basic": | ||
auth_token_base64 = base64.b64encode(auth_token.encode("ascii")).decode("ascii") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@niloc132 If the Go client should be split up into two args, it probably also needs to base64 encode...right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only the Basic
type is expected/required to be base64 encoded, this isn't necessarily required for other formats. For example, if you base64 the already-hex encoded uuids that are used for bearer tokens, or the already-base64 encoded openId connect payloads, the server won't be able to read them.
a1b4d70
to
b64b7a2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Re-approving post conflict resolution based on prior reviewers.
Labels indicate documentation is required. Issues for documentation have been opened: How-to: https://github.com/deephaven/deephaven.io/issues/2369 |
Fixes #3513