adutra commented on code in PR #10314:
URL: https://github.com/apache/iceberg/pull/10314#discussion_r1601396353
##########
core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java:
##########
@@ -763,11 +763,19 @@ private static AuthSession fromTokenResponse(
long startTimeMillis,
AuthSession parent,
String credential) {
+ // issued token type is not present in every OAuth2 response:
+ // assume type is access token if none provided.
+ // See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3
Review Comment:
Indeed, Keycloak does not fully implement it. Quoting from their [Securing
Applications and Services
Guide](https://www.keycloak.org/docs/latest/securing_apps/index.html#how-token-exchange-works):
> Token exchange in Keycloak is a very loose implementation of the OAuth
Token Exchange specification at the IETF. We have extended it a little, ignored
some of it, and loosely interpreted other parts of the specification. It is a
simple grant type invocation on a realm’s OpenID Connect token endpoint.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org
