[FEATURE] Support preemptive basic auth in JDBC driver

[dai-chen]

Is your feature request related to a problem? Currently basic auth is non-preemptive that expect an authenticate header (WWW-Authenticate: Basic ...) from the server. There is problem when server responds something else, for example, an OpenSearch cluster with SAML enabled returns WWW-Authenticate: X-Security-IdP instead. This fails the basic auth request with a 401 HTTP error.

What solution would you like? One solution is switch to preemptive auth and enforce it all the time. The impact of this needs to be evaluated carefully.

What alternatives have you considered? Alternatively, provide a configuration for user to choose which auth mode to use. This may be safer and more flexible option compared with enforcing preemptive auth.

Do you have any additional context?

1. Non-/Preemptive process in brief: https://stackoverflow.com/questions/7482523/preemptive-authentication-why
2. The HTTP RFC: https://datatracker.ietf.org/doc/html/rfc2617
3. Sample HTTP 401 error as below

HttpResponseProxy{HTTP/1.1 401 Unauthorized [Date: Thu, 23 Jun 2022 17:22:31 GMT, Content-Type: text/plain;charset=UTF-8, Content-Length: 0, Connection: keep-alive, Access-Control-Allow-Origin: *, WWW-Authenticate: X-Security-IdP realm="OpenSearch Security"

[spiralcb]

Hello

Any update for this ?

We activate SAML on our AWS Opensearch cluster and we have the same issue.

[dai-chen]

Hello

Any update for this ?

We activate SAML on our AWS Opensearch cluster and we have the same issue.

Thanks for reporting the issue! Unfortunately, we haven't worked on this yet.

@acarbonetto Could you take a look when you have time? See if we can add this to our roadmap. Thanks!

[imarzouka]

Hello

Any updates on this issue?

We faced the same issue as well when we enabled OIDC along with basic authentication having (challenge: false).