adutra commented on code in PR #10314:
URL: https://github.com/apache/iceberg/pull/10314#discussion_r1601402075
##########
core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java:
##########
@@ -763,11 +763,19 @@ private static AuthSession fromTokenResponse(
long startTimeMillis,
AuthSession parent,
String credential) {
+ // issued token type is not present in every OAuth2 response:
+ // assume type is access token if none provided.
+ // See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3
Review Comment:
But the problem here is wider: `issued_token_type` is only defined for the
token exchange flow (RFC 8693). This field does not exist for standard flows
from RFC 6749. So the following scenario can happen even with fully-compliant
servers:
1. client uses `client_credentials` to authenticate initially;
2. server sends a successful response similar to [this
one](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3); note that it
does not contain `issued_token_type`, which is normal since it's not defined
for this flow.
3. client attempts to refresh the token using the token exchange flow;
4. client throws IAE because `subjectTokenType` is null.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org
