syun64 commented on issue #464: URL: https://github.com/apache/iceberg-python/issues/464#issuecomment-1960585674
> 1. Client sends id tokens and resource to the authorization server to get access token. > > 2. Client sends access tokens to access a resource. I think you described it very well here. It looks like there's a front-end component involved in your client application where the user authenticates and authorizes themselves, and the client backend sends a request to the PyIceberg to fetch some results. From my understanding that's exactly what the [OIDC Protocol](https://openid.net/developers/how-connect-works/) is, and it's intended to prevent security vulnerabilities you might expose by sending an ID_TOKEN to a resource server. > However, in reality, it is also common that a resource server(e.g., rest catalog) want to handle authorization and authentication in a single call, so that id token will be used for that case. Yeah, this is a pretty interesting point. If the Rest Catalog can be elevated to also be an Authentication server, then maybe there isn't issue in doing this. In my opinion, it feels very unusual for a Resource Server to also be an Authenticator. An Iceberg Rest Catalog has very little to do with User Identity and is strictly a backend API. Why would we want to group in the work of Authenticating into it? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
