snazy commented on code in PR #10256:
URL: https://github.com/apache/iceberg/pull/10256#discussion_r1600512130
##########
core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java:
##########
@@ -215,6 +215,12 @@ public void initialize(String name, Map<String, String>
unresolved) {
this.paths = ResourcePaths.forCatalogProperties(mergedProps);
String token = mergedProps.get(OAuth2Properties.TOKEN);
+ // re-resolve these variables in case they were overridden by the config
endpoint
+ credential = mergedProps.get(OAuth2Properties.CREDENTIAL);
+ scope = mergedProps.getOrDefault(OAuth2Properties.SCOPE,
OAuth2Properties.CATALOG_SCOPE);
+ oauth2ServerUri =
+ mergedProps.getOrDefault(OAuth2Properties.OAUTH2_SERVER_URI,
ResourcePaths.tokens());
Review Comment:
> The default should (...) be the spec'ed auth server path
I strongly disagree with this, the `/v1/oauth/tokens` should, as I mentioned
above, have really never become part of the Iceberg REST spec:
* Each client passes the just base64 encoded credentials to that endpoint -
that proxies requests to something you don't know - and gets some token back.
This means, the resource knows your credentials.
* It is the opposite of what OAuth addresses: `OAuth addresses these issues
by introducing an authorization layer and separating the role of the client
from that of the resource owner.` - see [RFC
6749](https://datatracker.ietf.org/doc/html/rfc6749#section-1).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
