snazy commented on code in PR #10256: URL: https://github.com/apache/iceberg/pull/10256#discussion_r1600512130
########## core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java: ########## @@ -215,6 +215,12 @@ public void initialize(String name, Map<String, String> unresolved) { this.paths = ResourcePaths.forCatalogProperties(mergedProps); String token = mergedProps.get(OAuth2Properties.TOKEN); + // re-resolve these variables in case they were overridden by the config endpoint + credential = mergedProps.get(OAuth2Properties.CREDENTIAL); + scope = mergedProps.getOrDefault(OAuth2Properties.SCOPE, OAuth2Properties.CATALOG_SCOPE); + oauth2ServerUri = + mergedProps.getOrDefault(OAuth2Properties.OAUTH2_SERVER_URI, ResourcePaths.tokens()); Review Comment: > The default should (...) be the spec'ed auth server path I strongly disagree with this, the `/v1/oauth/tokens` should, as I mentioned above, have really never become part of the Iceberg REST spec: * Each client passes the just base64 encoded credentials to that endpoint - that proxies requests to something you don't know - and gets some token back. This means, the resource knows your credentials. * It is the opposite of what OAuth addresses: `OAuth addresses these issues by introducing an authorization layer and separating the role of the client from that of the resource owner.` - see [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-1). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org