OAuth2: userinfo_endpoint returns intermittent 401 due to truncated access_token (semicolon `;` stripped)

[nikolainv225]

Description

When using OAuth2 authentication with JetBrains Hub as the IdP, Trino intermittently fails to call the userinfo_endpoint successfully.
The same access_token sometimes works (HTTP 200) and sometimes fails (HTTP 401).
The difference: in failing requests, the token is truncated at the first semicolon (;), losing the session suffix required by Hub.

Environment

• Trino version: 475
• Deployment: Kubernetes
• IdP: JetBrains Hub
• Token type: opaque (non‑JWT) access_token containing ; in the value
• Relevant config.properties:

  http-server.authentication.type=oauth2
  http-server.authentication.oauth2.issuer=https://<domain>/hub
  http-server.authentication.oauth2.client-id=...
  http-server.authentication.oauth2.client-secret=...
  http-server.authentication.oauth2.scopes=openid profile email
  http-server.authentication.oauth2.userinfo-uri=https://<domain>/hub/api/rest/oauth2/userinfo

How we diagnosed the issue

To capture the exact requests Trino sends to the userinfo_endpoint, we deployed an intermediate nginx proxy inside the Kubernetes cluster.

This proxy:

• Listened on an internal service URL configured as userinfo-uri in Trino.
• Forwarded requests to the real Hub userinfo_endpoint.
• Logged the Authorization header and upstream response status.
• Added a WWW-Authenticate: Bearer header to any 401 responses to avoid Jetty's immediate protocol violation.

By inspecting these logs, we observed that:

• Some requests contained the full token (with ;1.… suffix) → Hub responded 200 OK.
• Other requests contained the truncated token (everything after ; removed) → Hub responded 401 Unauthorized.

Example nginx log excerpt (masked for security)

200 auth="Bearer 175...d878.0-0-0-0-0;1.MCw..."
401 auth="Bearer 175...d878.0-0-0-0-0"
200 auth="Bearer 175...d878.0-0-0-0-0;1.MCw..."
401 auth="Bearer 175...d878.0-0-0-0-0"

We also verified via direct curl from the same pod that:

• Full token works (200 OK).
• Truncated token fails (401 Unauthorized).

Observed behavior

• Trino sends multiple requests to userinfo_endpoint during login.
• Some requests use the full token:

  Authorization: Bearer 175...d878.0-0-0-0-0;1.MCw...
  

  → Hub responds 200 OK.
• Other requests use a truncated token (everything after ; removed):

  Authorization: Bearer 175...d878.0-0-0-0-0
  

  → Hub responds 401 Unauthorized (no WWW-Authenticate header).
• Jetty in Trino throws:

  HTTP protocol violation: Authentication challenge without WWW-Authenticate header
  

Expected behavior

Trino should always send the exact access_token value returned by the IdP, without modification, including any ; characters.

Steps to reproduce

1. Configure Trino with OAuth2 against JetBrains Hub that issues opaque tokens containing ;.
2. Attempt to log in via Trino Web UI.
3. Observe in a proxy or debug logs that some userinfo calls have truncated tokens.
4. Hub returns 401 for truncated tokens, causing Trino to fail login.

Additional notes

• No ingress/proxy between Trino and Hub that could alter headers — truncation happens inside Trino or its HTTP client.
• This may be related to how Jetty/Airlift parses header values containing ;.
• The issue is reproducible consistently with IdPs that issue opaque tokens containing ;.