Background
reqsign's goal is to provide a unified credential loading + request signing implementation for all OpenDAL services, so OpenDAL backends can remove per-service auth code.
Current progress (OpenDAL integration)
The following OpenDAL services are already using reqsign-based credential loading and/or signing:
- AWS S3:
reqsign-aws-v4 + reqsign-core (including AssumeRole credential chain)
- Aliyun OSS:
reqsign-aliyun-oss
- Tencent COS:
reqsign-tencent-cos
- HuaweiCloud OBS:
reqsign-huaweicloud-obs
- Azure Storage (azblob/azfile/azdls, plus ghac writer):
reqsign-azure-storage
- Google Cloud Storage (GCS):
reqsign-google
Remaining OpenDAL services with local auth implementations
The following OpenDAL services still implement local credential/token loading and/or signing logic without reqsign:
aliyun-drive (OAuth refresh flow, local signer)b2 (authorize-account exchange + token cache/refresh)seafile (token fetch + cache, repo id discovery)koofr (email/password -> token exchange + cache)onedrive (OAuth2 refresh flow, token cache)dropbox (Bearer access token injection)gdrive (Bearer access token injection)github (optional Bearer token injection + fixed headers)cloudflare-kv (Authorization header injection)vercel-blob (Bearer token injection)yandex-disk (OAuth token injection)swift (X-Auth-Token header injection)upyun (HMAC-based request signature)
Proposed task breakdown (reqsign side)
A. Token-only / header injection
Target services:
github (Bearer token + fixed headers)vercel-blob (Authorization: Bearer <token>)yandex-disk (Authorization: OAuth <token>)cloudflare-kv (Authorization: <api_token>)dropbox (Authorization: Bearer <access_token>)gdrive (Authorization: Bearer <access_token>)swift (X-Auth-Token: <token>)
Deliverable:
- Minimal service crates (or a shared helper in
reqsign-core) that expose config/credential types and implement request signing.
B. Login/exchange token + caching
Target services:
b2 (Basic auth -> authorization token, valid up to 24h)seafile (fetch auth token, then Authorization: Token <token>, plus repo id discovery)koofr (exchange email/password for Token token=<...>)
Deliverable:
- Service-specific
ProvideCredential implementation with caching/expiration where applicable.
C. OAuth2 refresh token flow
Target services:
aliyun-drive (refresh_token -> access_token, refresh_token update, expiration tracking)onedrive (OAuth2 refresh endpoint)
Deliverable:
- Service-specific providers using
reqsign-core contexts (HttpSend, FileRead, env) and returning typed credentials.
D. Request signature (HMAC)
Target services:
upyun (HMAC-SHA1 signature and required headers)
Deliverable:
- Service crate implementing the signing algorithm and test vectors.
Acceptance criteria
- Each listed service has a reqsign-backed credential loader/provider (where applicable) and signer.
- OpenDAL service crates can delete local signer/token-refresh code and depend on reqsign instead.
- Unit tests cover:
- canonical header format
- token refresh/caching behavior
- signature correctness (for HMAC-based services)
Tracking checklist
Parts of this issue were drafted with assistance from Codex (with gpt-5.2) and fully reviewed and edited by me. I take full responsibility for all changes.
Background
reqsign's goal is to provide a unified credential loading + request signing implementation for all OpenDAL services, so OpenDAL backends can remove per-service auth code.
Current progress (OpenDAL integration)
The following OpenDAL services are already using reqsign-based credential loading and/or signing:
reqsign-aws-v4+reqsign-core(including AssumeRole credential chain)reqsign-aliyun-ossreqsign-tencent-cosreqsign-huaweicloud-obsreqsign-azure-storagereqsign-googleRemaining OpenDAL services with local auth implementations
The following OpenDAL services still implement local credential/token loading and/or signing logic without reqsign:
aliyun-drive(OAuth refresh flow, local signer)b2(authorize-account exchange + token cache/refresh)seafile(token fetch + cache, repo id discovery)koofr(email/password -> token exchange + cache)onedrive(OAuth2 refresh flow, token cache)dropbox(Bearer access token injection)gdrive(Bearer access token injection)github(optional Bearer token injection + fixed headers)cloudflare-kv(Authorization header injection)vercel-blob(Bearer token injection)yandex-disk(OAuth token injection)swift(X-Auth-Token header injection)upyun(HMAC-based request signature)Proposed task breakdown (reqsign side)
A. Token-only / header injection
Target services:
github(Bearer token + fixed headers)vercel-blob(Authorization: Bearer <token>)yandex-disk(Authorization: OAuth <token>)cloudflare-kv(Authorization: <api_token>)dropbox(Authorization: Bearer <access_token>)gdrive(Authorization: Bearer <access_token>)swift(X-Auth-Token: <token>)Deliverable:
reqsign-core) that expose config/credential types and implement request signing.B. Login/exchange token + caching
Target services:
b2(Basic auth -> authorization token, valid up to 24h)seafile(fetch auth token, thenAuthorization: Token <token>, plus repo id discovery)koofr(exchange email/password forToken token=<...>)Deliverable:
ProvideCredentialimplementation with caching/expiration where applicable.C. OAuth2 refresh token flow
Target services:
aliyun-drive(refresh_token -> access_token, refresh_token update, expiration tracking)onedrive(OAuth2 refresh endpoint)Deliverable:
reqsign-corecontexts (HttpSend,FileRead, env) and returning typed credentials.D. Request signature (HMAC)
Target services:
upyun(HMAC-SHA1 signature and required headers)Deliverable:
Acceptance criteria
Tracking checklist
reqsign-upyunreqsign-b2reqsign-seafilereqsign-koofrreqsign-aliyun-drivereqsign-onedrivereqsign-dropboxreqsign-gdrivereqsign-githubreqsign-cloudflare-kvreqsign-vercel-blobreqsign-yandex-diskreqsign-swiftParts of this issue were drafted with assistance from Codex (with
gpt-5.2) and fully reviewed and edited by me. I take full responsibility for all changes.