snazy commented on PR #10256: URL: https://github.com/apache/iceberg/pull/10256#issuecomment-2113057306
> This change allows redirecting the auth server which should expose sensitive information to the wrong party. Why should a (malicious) Iceberg REST endpoint do the more complex redirect-dance, if it can get the nearly clear-text credentials due to the `/v1/oauth/tokens` route introduced by #4771? This change tries to _mitigate_ that security issue (clear text credentials) by telling the client to use the _correct_ oauth endpoint - nothing else. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
