bharos commented on code in PR #10437:
URL: https://github.com/apache/gravitino/pull/10437#discussion_r2943050678
##########
web-v2/web/src/lib/auth/providers/oidc.js:
##########
@@ -67,17 +67,17 @@ export class OidcOAuthProvider extends BaseOAuthProvider {
let user = await this.userManager.getUser()
if (user && !user.expired) {
- // For JWKS validation, we need the ID token (JWT format), not the
access token
- return user.id_token || user.access_token
+ // Use access token for API requests per OAuth2 spec
+ return user.access_token || user.id_token
Review Comment:
My concern is that based on Oauth:
https://oauth.net/id-tokens-vs-access-tokens/
id_token is always a JWT but access_token may not be.
Validator expects token to be of JWT form
https://github.com/apache/gravitino/blob/891ab2d655692a8169b507cdee16598f3fdb6aa3/server-common/src/main/java/org/apache/gravitino/server/authentication/JwksTokenValidator.java#L102
So just wondering if it can break any existing provider flow
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
