adutra commented on PR #10314: URL: https://github.com/apache/iceberg/pull/10314#issuecomment-2205747465
> @adutra IMO https://github.com/apache/iceberg/pull/10314/files#r1601220154 still needs to be reverted. It's ok to add a workaround for Keycloak but I don't see a good enough reason to adjust what the server (aka `RESTCatalogAdapter` is sending back) @nastra I'm sorry but I really don't agree. This has _nothing_ to do with Keycloak. This is _not_ a workaround. This has to do with complying with the OAuth 2.0 spec. Have you read the [5.1 section of RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-5.1)? Quoting here so that we are on the same page: The authorization server issues an access token and optional refresh token, and constructs the response by adding the following parameters to the entity-body of the HTTP response with a 200 (OK) status code: access_token REQUIRED. The access token issued by the authorization server. token_type REQUIRED. The type of the token issued as described in [Section 7.1](https://datatracker.ietf.org/doc/html/rfc6749#section-7.1). Value is case insensitive. expires_in RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. refresh_token OPTIONAL. The refresh token, which can be used to obtain new access tokens using the same authorization grant as described in [Section 6](https://datatracker.ietf.org/doc/html/rfc6749#section-6). scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED. The scope of the access token as described by [Section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). As you can see there is no `issued_token_type` field. We therefore must comply with that, and be prepared to receive responses that do NOT contain that field. A client that breaks because that field is missing _is not a OAuth2-compliant client_. By returning an unspecified field for a `client_credentials` grant, `RESTCatalogAdapter` is also _infringing the OAuth 2.0 spec_. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
