adutra commented on PR #8: URL: https://github.com/apache/polaris-tools/pull/8#issuecomment-2820575310
> If we foresee no use case- even when external OAuth does land in OSS Polaris- to support flexible token exchange outside of token refresh with Polaris, then I have no qualms about removing this part from AuthenticationSessionWrapper and just supporting client_credentials and a preset bearer token. I cannot see a use case where token exchange is going to be necessary in the context of a catalog synchronization. I would suggest to refrain from including support for that initially, and wait until someone actually comes up with a valid use case. > I had been confused looking at the implementation of Iceberg's OAuth2Util#fromTokenExchange You are not the only one 😄 Here is some context: The only situation where a token exchange happens in Iceberg and it's not a token refresh scenario, is when the server "vends" an OAuth token to the client as part of a `LoadTableResponse` and the client creates a "table session" for it: https://github.com/apache/iceberg/blob/9587a2e3d5ff658ed1427d17ea2d351029012e7e/core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Manager.java#L208-L211 In that scenario, immediately after the vended token is received, a token exchange happens and the vended token becomes the subject token and the client's current OAuth2 token becomes the actor token. I do not know of any catalog server that uses this feature. Polaris OSS and Nessie do not support it. I suspect Tabular was making use of it. And I would argue that vending OAuth tokens is not a good practice anyways. All of this to say: I would suggest again to hold off implementing support for this in the context of this catalog synchronization tool. > are we okay to merge this PR ahead of time once it has gone through review and open up an issue to ensure that when external OAuth is finalized in Polaris we ensure that this external OAuth support is compatible? Yes, that's fine 👍 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
