[PLUGIN-1956] Added a fix for OAuth2 Proxy Routing#205
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
vishwasvaidya-cloudsufi
force-pushed
the
fix_Oauth2_Proxy
branch
from
d7cda01 to
af8423d
Compare
psainics
requested review from
itsankit-google
and removed request for
itsankit-google
| if (!Strings.isNullOrEmpty(config.getProxyUrl())) { | ||
| HttpHost proxyHost = HttpHost.create(config.getProxyUrl()); | ||
|
|
||
| if (!Strings.isNullOrEmpty(config.getProxyUsername()) && !Strings.isNullOrEmpty(config.getProxyPassword())) { |
There was a problem hiding this comment.
should the else part throw an error?
Do we have validation in place earlier which checks that these cannot be empty when proxyUrl is specified?
There was a problem hiding this comment.
Using the ProxyURL without Credentials is a valid use case, so adding an else part for the same is not required.
Similar type of validations are present where the proxy configuration is implemented. I have also tested these changes locally to verify the same.
There was a problem hiding this comment.
I see, sounds good.
3 participants
Added a fix for OAuth2 Proxy Routing
Jira : PLUGIN-1956
Description
When the HTTP plugin (source or sink) is configured with OAuth2 authentication and a proxy (proxyUrl, proxyUsername, proxyPassword), the request that fetches the OAuth2 access token ignores the proxy settings. It is sent directly to the token endpoint, which causes an UnknownHostException in restricted environments (like Cloud Data Fusion / Dataproc) where only the proxy has outbound network access.
Root Cause
In OAuthUtil.getAccessToken(BaseHttpConfig config), the code builds its own HTTP client but never applies the proxy settings from the config. Currently, it uses HttpClients.custom() (for the source path) or HttpClients.createDefault() (for the sink path), completely bypassing setProxy(...) and setDefaultCredentialsProvider(...).
The Fix
Refactored the OAUTH2 case in OAuthUtil.java to use a unified HttpClientBuilder. The builder now:
Conditionally applies the SSLConnectionSocketFactory (if it's a BaseHttpSourceConfig).
Extracts the proxy settings from the config object and applies the HttpHost and BasicCredentialsProvider (if configured) before calling .build().
Proof / Verifications