[I] OAuth2: `OAuth2Manager#newSessionFromCredential` shouldn't pass `Authorization: Bearer xxx` from `parent` [iceberg]

Tue, 17 Jun 2025 10:07:43 -0700 


szymonorz opened a new issue, #13337:
URL: https://github.com/apache/iceberg/issues/13337

   ### Apache Iceberg version
   
   1.9.1 (latest release)
   
   ### Query engine
   
   Trino
   
   ### Please describe the bug 🐞
   
   Hi,
   while trying to integrate Trino into the analytic stack at the company I 
work at I noticed there seems to be a faulty implementation of the client 
credentials OAuth2 flow. We use CAS for OpenID Connect 
https://apereo.github.io/cas/7.2.x/index.html 
   
   Per [RFC 6749 Section 
2.3](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3)
   ```
   The client MUST NOT use more than one authentication method in each request.
   ```
   However when debugging Trino I noticed that the Iceberg library calls 
`OAuth2Manager#newSessionFromCredential` with `parent` session headers which 
has `Authorization` set with `Bearer` token. CAS treats such request as `Bad 
request` making Trino unusable with Iceberg with OAuth2 enabled. Maybe other 
OIDC providers don't follow this spec.
   
   Trino doesn't do anything extra than calling 
`RESTSessionCatalog#listNamespaces(Session.SessionContext, Namespace)`  for 
example.
   
   Tested on Trino 474, 475 and 476.
   
   I'm not fluent with the Iceberg codebase but maybe adding code that would 
remove the `Authorization: Bearer xxx` header in 
`OAuth2Manager#newSessionFromCredential` method would work.
   
   ### Willingness to contribute
   
   - [ ] I can contribute a fix for this bug independently
   - [x] I would be willing to contribute a fix for this bug with guidance from 
the Iceberg community
   - [ ] I cannot contribute a fix for this bug at this time


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to