kevinjqliu commented on code in PR #2055:
URL: https://github.com/apache/iceberg-python/pull/2055#discussion_r2216919410
##########
mkdocs/docs/configuration.md:
##########
@@ -374,6 +374,94 @@ Specific headers defined by the RESTCatalog spec include:
| ------------------------------------ | -------------------------------------
| -------------------- |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
| `header.X-Iceberg-Access-Delegation` | `{vended-credentials,remote-signing}`
| `vended-credentials` | Signal to the server that the client supports
delegated access via a comma-separated list of access mechanisms. The server
may choose to supply access via any or none of the requested mechanisms |
+#### Authentication in RESTCatalog
Review Comment:
This is great! A heads up, we recently merged a PR which added an
"Authentication Options" section under the REST Catalog docs. Would be great to
merge with what you have here.
See,
https://github.com/apache/iceberg-python/blob/main/mkdocs/docs/configuration.md#authentication-options
##########
pyiceberg/catalog/rest/auth.py:
##########
@@ -109,6 +122,95 @@ def auth_header(self) -> str:
return f"Bearer {self._token}"
+class OAuth2TokenProvider:
+ """Thread-safe OAuth2 token provider with token refresh support."""
+
+ client_id: str
+ client_secret: str
+ token_url: str
+ scope: Optional[str]
+ refresh_margin: int
+ expires_in: Optional[int]
+
+ _token: Optional[str]
+ _expires_at: int
+ _lock: threading.Lock
+
+ def __init__(
+ self,
+ client_id: str,
+ client_secret: str,
Review Comment:
there are a couple of options in the oauth section
token
credential
scope
resource
audience
`LegacyOAuth2AuthManager` currently supports this, so i think we should
support them in the new implementation too
WDYT?
##########
pyiceberg/catalog/rest/auth.py:
##########
@@ -109,6 +122,95 @@ def auth_header(self) -> str:
return f"Bearer {self._token}"
+class OAuth2TokenProvider:
+ """Thread-safe OAuth2 token provider with token refresh support."""
+
+ client_id: str
+ client_secret: str
+ token_url: str
+ scope: Optional[str]
+ refresh_margin: int
+ expires_in: Optional[int]
+
+ _token: Optional[str]
+ _expires_at: int
+ _lock: threading.Lock
+
+ def __init__(
+ self,
+ client_id: str,
+ client_secret: str,
Review Comment:
should we let users provide these 2 separately? or parse them out from
`credential` based on
https://github.com/apache/iceberg-python/blob/main/mkdocs/docs/configuration.md#oauth2
##########
pyiceberg/catalog/rest/auth.py:
##########
@@ -109,6 +122,95 @@ def auth_header(self) -> str:
return f"Bearer {self._token}"
+class OAuth2TokenProvider:
+ """Thread-safe OAuth2 token provider with token refresh support."""
+
+ client_id: str
+ client_secret: str
+ token_url: str
+ scope: Optional[str]
+ refresh_margin: int
+ expires_in: Optional[int]
+
+ _token: Optional[str]
+ _expires_at: int
+ _lock: threading.Lock
+
+ def __init__(
+ self,
+ client_id: str,
+ client_secret: str,
Review Comment:
should we let users provide these 2 separately? or parse them out from
`credential` based on
https://github.com/apache/iceberg-python/blob/main/mkdocs/docs/configuration.md#oauth2
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
