danielcweeks commented on PR #10256: URL: https://github.com/apache/iceberg/pull/10256#issuecomment-2112854713
> My intention was to bring the spec in line with the current implementation by honoring credential and oauth2-server-uri, among others, from the config endpoint. I don't believe this is a safe and raises a huge security concern for me. A client should never be in a situation where it is sending credentials or valid tokens to an server that the client did not explicitly designate. This change allows redirecting the auth server which should expose sensitive information to the wrong party. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
