adutra commented on issue #12196: URL: https://github.com/apache/iceberg/issues/12196#issuecomment-2675013344
To expand a bit on why using bearer authentication to refresh tokens should be considered a bug, and a violation of the OAuth2 spec: A client is not supposed to authenticate against the tokens endpoint using a bearer token that it obtained previously _from that same endpoint_. According to [RFC 6749 section 2.3](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3), valid authentication methods that IDPs must support include: HTTP Basic header (preferred), or client ID + client secret included in the POST request body. In any case, _the request must include the client ID and the client secret_. But a typical token refresh request issued by the Iceberg REST client looks like this (slightly arranged for readability): ``` POST /tokens HTTP/1.1 Host: auth-server.example.com Authorization: Bearer <current access token> <-- WRONG Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:token-exchange subject_token_type=urn:ietf:params:oauth:token-type:access_token subject_token=<current access token> scope=catalog ``` Note how it does NOT include the client ID and client secret. Keycloak and Auth0 both respond with a 401 response. Keycloak also logs a warning: ``` WARN [org.keycloak.events] (executor-thread-40) type="TOKEN_EXCHANGE_ERROR", clientId="null", userId="null", error="client_not_found", grant_type="urn:ietf:params:oauth:grant-type:token-exchange" ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
