Re: [I] refreshExpiredToken calling wrong method? (OAuth2) [iceberg]

via GitHub Mon, 21 Jul 2025 06:34:28 -0700


lkindere commented on issue #13591:
URL: https://github.com/apache/iceberg/issues/13591#issuecomment-3096816905


   @nastra the issue is specifically that Azure OAuth does not seem to support 
token_exchange grant type for example running longer than 1 hour with the 
default OAuth2Util implementation would end up in:
   
   ```Failed to clean up on failure (org.apache.iceberg.util.Tasks:289)
    org.apache.iceberg.exceptions.BadRequestException: Malformed request: 
unsupported_grant_type: AADSTS70003: The app requested an unsupported grant 
type 'urn:ietf:params:oauth:grant-type:token-exchange'. Trace ID: 
7cab4d7a-1afb-484c-ac51-9854a6ed0f00 Correlation ID: 
c70aba69-e095-4ba4-9242-608d126e0d00 Timestamp: 2025-07-17 13:27:30Z
        at 
org.apache.iceberg.rest.ErrorHandlers$OAuthErrorHandler.accept(ErrorHandlers.java:278)
        at 
org.apache.iceberg.rest.ErrorHandlers$OAuthErrorHandler.accept(ErrorHandlers.java:252)
        at org.apache.iceberg.rest.HTTPClient.throwFailure(HTTPClient.java:215)
        at org.apache.iceberg.rest.HTTPClient.execute(HTTPClient.java:299)
        at 
org.apache.iceberg.rest.BaseHTTPClient.postForm(BaseHTTPClient.java:111)
        at 
org.apache.iceberg.rest.auth.OAuth2Util.refreshToken(OAuth2Util.java:170)
        at 
org.apache.iceberg.rest.auth.OAuth2Util$AuthSession.refreshExpiredToken(OAuth2Util.java:607)
        at 
org.apache.iceberg.rest.auth.OAuth2Util$AuthSession.lambda$refresh$0(OAuth2Util.java:552)
        at org.apache.iceberg.util.Tasks$Builder.tryRunOnFailure(Tasks.java:286)
        at 
org.apache.iceberg.util.Tasks$Builder.runSingleThreaded(Tasks.java:225)
        at org.apache.iceberg.util.Tasks$Builder.run(Tasks.java:203)
        at org.apache.iceberg.util.Tasks$Builder.run(Tasks.java:196)
        at 
org.apache.iceberg.rest.auth.OAuth2Util$AuthSession.refresh(OAuth2Util.java:562)
        at 
org.apache.iceberg.rest.auth.OAuth2Util$AuthSession.lambda$scheduleTokenRefresh$2(OAuth2Util.java:645)
        at 
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
        at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
        at 
java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown
 Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown 
Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown 
Source)
        at java.base/java.lang.Thread.run(Unknown Source)
   ```
   
   Now when manually shaded over with a custom implementation of OAuth2Util 
(where the refresh() function instead always calls fetchToken and gets a new 
token via client credentials as opposed to refreshToken) it works perfectly 
fine on our side.
   
   It would be nice to see an option to disable token_exchange and always get a 
new token via client credentials or some similar approach.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Re: [I] refreshExpiredToken calling wrong method? (OAuth2) [iceberg]

Reply via email to