[PR #1421] [MERGED] enforce exact key match in IBM IAM response #1973

New issue

Closed

opened 2026-03-04 02:03:04 +03:00 by kerem · 0 comments

kerem commented

2026-03-04 02:03:04 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/s3fs-fuse/s3fs-fuse/pull/1421
Author: @nkkashyap
Created: 9/25/2020
Status: ✅ Merged
Merged: 9/25/2020
Merged by: @gaul

Base: master ← Head: ibmiam

📝 Commits (1)

d58acb1 enforce exact key match in IBM IAM response

📊 Changes

2 files changed (+5 additions, -2 deletions)

View changed files

📝 src/curl.cpp (+3 -0)
📝 src/s3fs.cpp (+2 -2)

📄 Description

Relevant Issue (if applicable)

If there are Issues related to this PullRequest, please list it.

Details

Please describe the details of PullRequest.
The IBM IAM token API wants to introduced additional field refresh_token_expiration for token expiry

POST /oidc/token HTTP/1.1
Host: iam.bluemix.net

"token_type":"Bearer","expires_in":3600,"expiration":1600889795,"refresh_token_expiration":1603478195,"scope":"ibm openid"}"

The S3fsCurl::ParseIAMCredentialResponse() is not able to differentiate between expiration and refresh_token_expiration and picking the last key value in the order, that is refresh_token_expiration.
Because of this the token is not getting refreshed by s3fs and application accessing bucket mount are hitting with Error: EPERM: operation not permitted

The code change enforce the exact key match in case of IBM IAM response.

I have tested and verified the code in IBM IKS Cluster

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/s3fs-fuse/s3fs-fuse/pull/1421 **Author:** [@nkkashyap](https://github.com/nkkashyap) **Created:** 9/25/2020 **Status:** ✅ Merged **Merged:** 9/25/2020 **Merged by:** [@gaul](https://github.com/gaul) **Base:** `master` ← **Head:** `ibmiam` --- ### 📝 Commits (1) - [`d58acb1`](https://github.com/s3fs-fuse/s3fs-fuse/commit/d58acb18619d236b3f44535d50570d8aa4a05ee8) enforce exact key match in IBM IAM response ### 📊 Changes **2 files changed** (+5 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/curl.cpp` (+3 -0) 📝 `src/s3fs.cpp` (+2 -2) </details> ### 📄 Description ### Relevant Issue (if applicable) _If there are Issues related to this PullRequest, please list it._ ### Details _Please describe the details of PullRequest._ The IBM IAM token API wants to introduced additional field `refresh_token_expiration` for token expiry > POST /oidc/token HTTP/1.1 > Host: iam.bluemix.net ``` "token_type":"Bearer","expires_in":3600,"expiration":1600889795,"refresh_token_expiration":1603478195,"scope":"ibm openid"}" ``` The `S3fsCurl::ParseIAMCredentialResponse()` is not able to differentiate between `expiration` and `refresh_token_expiration` and picking the last key value in the order, that is `refresh_token_expiration`. Because of this the token is not getting refreshed by s3fs and application accessing bucket mount are hitting with `Error: EPERM: operation not permitted` The code change enforce the exact key match in case of IBM IAM response. I have tested and verified the code in IBM IKS Cluster --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>