adutra commented on issue #12196:
URL: https://github.com/apache/iceberg/issues/12196#issuecomment-2674990474
Hi, I support this feature request and think this is a great idea.
I can confirm that support for external IDPs is currently broken, as token
refreshes generally do not work.
There are a few reasons for that:
1. The usage of token exchange grant in lieu of the `refresh_token` grant.
Not all IDPs have support for token exchange:
a. Authelia or Authentik have no support for it.
b. Keycloak does have support for it, but it must be explicit enabled and
is still considered in "preview" state.
c. Auth0 has a "[custom token exchange
beta](https://auth0.com/docs/custom-token-exchange-beta)" feature, but it
cannot be used to refresh tokens.
2. The usage of bearer token authentication in lieu of basic authentication.
Bearer token authentication per [RFC
6750](https://www.rfc-editor.org/rfc/rfc6750.html) is meant for accessing the
resource server, not the authorization server. **All IDPs reject such
requests.**
We could argue that reason 1 above is a "feature request", but I'd would
qualify reason 2 as a bug.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
