Fix #2478: Update the auth header to Authorization Bearer for JWT token (#2483)

* Fix #2478: Update the auth header to Authorization Bearer for JWT token
2025-11-04 04:29:13 +00:00 · 2022-01-27 23:58:54 -08:00 · 2022-01-27 23:58:54 -08:00 · 52ec2e3ad1
commit 52ec2e3ad1
parent 2c6f6cb908
5 changed files with 12 additions and 7 deletions
--- a/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/JwtFilter.java
+++ b/catalog-rest-service/src/main/java/org/openmetadata/catalog/security/JwtFilter.java
@ -38,7 +38,8 @@ import org.openmetadata.catalog.security.auth.CatalogSecurityContext;
 public class JwtFilter implements ContainerRequestFilter {
  @Context private UriInfo uriInfo;

-  public static final String TOKEN_HEADER = "X-Catalog-Source";
+  public static final String AUTHORIZATION_HEADER = "Authorization";
+  public static final String TOKEN_PREFIX = "Bearer";
  private String publicKeyUri;

  @SuppressWarnings("unused")
@ -103,10 +104,14 @@ public class JwtFilter implements ContainerRequestFilter {

  protected static String extractToken(MultivaluedMap<String, String> headers) {
    LOG.debug("Request Headers:{}", headers);
-    String source = headers.getFirst(TOKEN_HEADER);
+    String source = headers.getFirst(AUTHORIZATION_HEADER);
    if (Strings.isNullOrEmpty(source)) {
      throw new AuthenticationException("Not Authorized! Token not present");
    }
-    return source;
+    // Extract the bearer token
+    if (source.startsWith(TOKEN_PREFIX)) {
+      return source.substring(TOKEN_PREFIX.length() + 1);
+    }
+    throw new AuthenticationException("Not Authorized! Token not present");
  }
 }
--- a/ingestion/src/metadata/ingestion/ometa/client.py
+++ b/ingestion/src/metadata/ingestion/ometa/client.py
@ -128,7 +128,7 @@ class REST:
        url: URL = URL(base_url + "/" + version + path)
        headers = {"Content-type": "application/json"}
        if self._auth_token is not None and self._auth_token != "no_token":
-            headers[self.config.auth_header] = self._auth_token
+            headers[self.config.auth_header] = f"Bearer {self._auth_token}"
        opts = {
            "headers": headers,
            # Since we allow users to set endpoint URL via env var,
--- a/ingestion/src/metadata/ingestion/ometa/ometa_api.py
+++ b/ingestion/src/metadata/ingestion/ometa/ometa_api.py
@ -138,7 +138,7 @@ class OpenMetadata(
        client_config: ClientConfig = ClientConfig(
            base_url=self.config.api_endpoint,
            api_version=self.config.api_version,
-            auth_header="X-Catalog-Source",
+            auth_header="Authorization",
            auth_token=self._auth_provider.auth_token(),
        )
        self.client = REST(client_config)
--- a/ingestion/src/metadata/ingestion/ometa/openmetadata_rest.py
+++ b/ingestion/src/metadata/ingestion/ometa/openmetadata_rest.py
@ -100,7 +100,7 @@ class MetadataServerConfig(ConfigModel):
    domain: str = None
    email: str = None
    audience: str = "https://www.googleapis.com/oauth2/v4/token"
-    auth_header: str = "X-Catalog-Source"
+    auth_header: str = "Authorization"


 class NoOpAuthenticationProvider(AuthenticationProvider):
--- a/openmetadata-ui/src/main/resources/ui/src/axiosAPIs/index.js
+++ b/openmetadata-ui/src/main/resources/ui/src/axiosAPIs/index.js
@ -26,7 +26,7 @@ const axiosClient = axios.create({
 axiosClient.interceptors.request.use(function (config) {
  const token = cookieStorage.getItem(oidcTokenKey);
  if (token) {
-    config.headers['X-Catalog-Source'] = token;
+    config.headers['Authorization'] = `Bearer ${token}`;
  }

  return config;