syun64 commented on issue #8869: URL: https://github.com/apache/iceberg/issues/8869#issuecomment-1771122573
> @syun64 In my org, we have very similar situation where we, unfortunately, can only use an internal procedure to grab auth token (that is quite different from OIDC flow). Based on what you talked about, I believe we are doing quite similar things as you mentioned, that we setup a different auth server, and has to reimplement our own internal version of RestSessionCatalog and OAuth2Util so that our Spark/Flink Iceberg users can leverage our internal process to refresh token on the fly. > > That being said, I do see the value of separating out the interface of auth away from the interface of resources and define an auth protocol (interface) to allow more degrees of freedom for auth implementation. Hi @haizhou-zhao - that's interesting that we share somewhat of a similar concern, that is also quite different. I think there's two layers of customization here and I would like to note them down just so that we don't lose track of each one: 1. Support for a separate OIDC Authorization Server that is a separate entity from the Rest Catalog Server 2. Support for custom authorization methods that do not follow the OIDC flow I think the implementation details of the solutions to the two issues will be quite different as well, where (1) will be resolved through introducing an optional parameter support to override the full path of token endpoint to the already existing OAuth2Util class. On the other hand, (2) will require a considerable amount of refactoring to OAuth2Util to create a BaseAuth interface that requires users to implement core auth methods like fetch_token, and break down many of the assumptions RestSessionCatalog is making about the auth mechanism. And I think solving for (2) at scale will be quite challenging - because there's no single spec for how a custom authorization flow would work that we can base our abstractions on. I'd like to advocate for this issue to be focused on solving for (1) which is a valid OIDC flow, which is just not supported yet with the Java and Python RestCatalog implementations. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
