snazy commented on code in PR #10256:
URL: https://github.com/apache/iceberg/pull/10256#discussion_r1600512130


##########
core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java:
##########
@@ -215,6 +215,12 @@ public void initialize(String name, Map<String, String> 
unresolved) {
     this.paths = ResourcePaths.forCatalogProperties(mergedProps);
 
     String token = mergedProps.get(OAuth2Properties.TOKEN);
+    // re-resolve these variables in case they were overridden by the config 
endpoint
+    credential = mergedProps.get(OAuth2Properties.CREDENTIAL);
+    scope = mergedProps.getOrDefault(OAuth2Properties.SCOPE, 
OAuth2Properties.CATALOG_SCOPE);
+    oauth2ServerUri =
+        mergedProps.getOrDefault(OAuth2Properties.OAUTH2_SERVER_URI, 
ResourcePaths.tokens());

Review Comment:
   > The default should (...) be the spec'ed auth server path
   
   I strongly disagree with this, the `/v1/oauth/tokens` should, as I mentioned 
above, have really never become part of the Iceberg REST spec:
   * Each client passes the just base64 encoded credentials to that endpoint - 
that proxies requests to something you don't know - and gets some token back. 
This means, the resource knows your credentials.
   * It is the opposite of what OAuth addresses: `OAuth addresses these issues 
by introducing an authorization layer and separating the role of the client 
from that of the resource owner.` - see [RFC 
6749](https://datatracker.ietf.org/doc/html/rfc6749#section-1).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to