adutra commented on PR #12197:
URL: https://github.com/apache/iceberg/pull/12197#issuecomment-2677874717
> When RestSessionCatalog creates a new session it uses
AuthSession.fromAccessToken method and puts it to the cache (1 hour timeout)
And the problem is that the token lifetime that we send via extraCredentials
option can be shorter that this period (1 hour). Shouldn't we have a different
behaviour with caching in such case?
Hi, is `extraCredentials` passed down to the `RESTSessionCatalog` wrapped in
a `SessionContext`?
If so, your `SessionContext` should contain the necessary credentials to
keep to token refreshed.
The ideal scenario would be something like this:
1. A new `RESTCatalog` is created with `SessionContext{id=xyz,
credentials=foo:bar}`.
2. The `RESTSessionCatalog` is invoked with the session context;
3. The `OAuth2Manager` will look up a cached `AuthSession` with `id=xyz`, or
create one if none exists;
4. The created `AuthSession` will have `credentials=foo:bar`, and will keep
the token refreshed using these credentials (the cache eviction timeout of 1
hour does not matter here);
5. The created `AuthSession` will stay in the cache unless it's not used for
1 hour, in which case it's evicted.
The problem with this scenario is that token refreshes are rather broken
with external IDPs, so the cached auth session will fail to keep the token
refreshed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org
