adutra commented on PR #8: URL: https://github.com/apache/polaris-tools/pull/8#issuecomment-2819162771
Hi @mansehajsingh I have a few questions about the features being introduced here: > Polaris supports exchanging an access token for another access token. In Polaris, the token exchange grant type is meant primarily for token refreshes. What is the use case here? Where is the subject token expected to come from? > so you need to specify the token property as well to provide an actor token to the token exchange request. What is the use case for the actor token, and where it is supposed to come from? Asking because the actor token [is not honored by OSS Polaris](https://github.com/apache/polaris/blob/6b76c39095d70cc1719c2093dcde6e2ebb5d4fa2/service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java#L68-L69), only vendor-specific products make usage of actor tokens, e.g. Tabular. Which makes me realize that we might be "sneaking in" some vendor-specific features here. I don't mind doing so, but I think they should be more clearly flagged as Snowflake-specific features. > External OAuth. Here is an example of how Snowflake Open Catalog does external OAuth support: https://other-docs.snowflake.com/en/LIMITEDACCESS/opencatalog/external-oauth. That's interesting, thanks for link 👍 I didn't know that Open Catalog already had support for external authentication, since OSS Polaris doesn't – but hopefully not for a long time: https://github.com/apache/polaris/pull/1397. We probably should make sure that whichever support is added here for external auth also works with OSS Polaris with an external IDP like Keycloak or Auth0. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
