Skip to content

WaveClient sends Bearer token to public S3 URLs, causing authentication failures #6671

New issue
New issue
Closed
#6672
Closed
WaveClient sends Bearer token to public S3 URLs, causing authentication failures#6671
#6672
Labels
bugsoftware/wave
@jordeu

Description

@jordeu
jordeu
opened on Dec 18, 2025

Bug Description

When using a public AWS S3 URL as containerConfigUrl (e.g., for Fusion container config), the Wave plugin sends a Bearer token (Tower/Platform JWT) with the request. AWS S3 does not support Bearer token authentication and returns a 400 error: "Unsupported Authorization Type".

Error Message

Unexpected response for containerContainerConfigUrl 'https://s3.eu-west-2.amazonaws.com/fusion-develop/snapshots/.../fusion-amd64.json': [400]
<Error>
  <Code>InvalidArgument</Code>
  <Message>Unsupported Authorization Type</Message>
  <ArgumentName>Authorization</ArgumentName>
  <ArgumentValue>Bearer eyJhbGciOiJIUzI1NiJ9...</ArgumentValue>
</Error>

Root Cause

The WaveClient creates a single HxClient instance with a Bearer token configured globally:

https://github.com/nextflow-io/nextflow/blob/cdc7a5869/plugins/nf-wave/src/main/io/seqera/wave/plugin/WaveClient.groovy#L145-L155

protected HxClient newHttpClient() {
    return HxClient.newBuilder()
            .bearerToken(tower.accessToken)  // Bearer token applied to ALL requests
            // ...
            .build()
}

This same client is used for fetching container configs from external URLs:

https://github.com/nextflow-io/nextflow/blob/cdc7a5869/plugins/nf-wave/src/main/io/seqera/wave/plugin/WaveClient.groovy#L397-L413

protected ContainerConfig fetchContainerConfig(URL configUrl) {
    final req = HttpRequest.newBuilder()
            .uri(configUrl.toURI())
            .GET()
            .build()
    final resp = httpClient.sendAsString(req)  // Bearer token sent regardless of URL
    // ...
}

When the container config URL points to a public S3 bucket, the Bearer token is incorrectly sent, and S3 rejects it.

Steps to Reproduce

  1. Configure Nextflow with Wave and Tower/Platform integration
  2. Set a custom Fusion container config URL pointing to a public S3 bucket: 
    fusion.containerConfigUrl = 'https://s3.eu-west-2.amazonaws.com/bucket/path/fusion-amd64.json'
  3. Run a workflow with Fusion enabled
  4. Observe the authentication error

Expected Behavior

Public URLs (especially S3 URLs) should be fetched without the Bearer token, since:

  • Container configs are public resources
  • S3 doesn't support Bearer authentication
  • The Bearer token is only valid for Wave/Tower API endpoints

Test URL

This public S3 URL can be used to reproduce and test the issue:

https://s3.eu-west-2.amazonaws.com/fusion-develop/snapshots/2025/12/17/174823056/fusion-amd64.json

Environment

  • Nextflow version: master (cdc7a58)
  • Wave plugin version: latest
  • Platform: AWS with S3 Fusion config URL

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugsoftware/wave

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions