Re: [I] Support ID Tokens in Rest Catalog [iceberg-python]

syun64 closed issue #464: Support ID Tokens in Rest Catalog URL: https://github.com/apache/iceberg-python/issues/464 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscr

Re: [I] Support ID Tokens in Rest Catalog [iceberg-python]

syun64 commented on issue #464: URL: https://github.com/apache/iceberg-python/issues/464#issuecomment-1979940847 Awesome. Thanks for raising this issue in the first place and walking the community through this discussion! -- This is an automated message from the Apache Git Service. To res

Re: [I] Support ID Tokens in Rest Catalog [iceberg-python]

flyrain commented on issue #464: URL: https://github.com/apache/iceberg-python/issues/464#issuecomment-1979866702 Yeah, it is normally an anti-pattern to use id-token for resource servers. For example, the id token will carry all audiences that the client has, which could be misused, e.g.,

Re: [I] Support ID Tokens in Rest Catalog [iceberg-python]

syun64 commented on issue #464: URL: https://github.com/apache/iceberg-python/issues/464#issuecomment-1979774474 @flyrain do you have any thoughts on this? Does this issue require more discussion, or could we close this with the understanding that ID tokens should not be used against a reso

Re: [I] Support ID Tokens in Rest Catalog [iceberg-python]

syun64 commented on issue #464: URL: https://github.com/apache/iceberg-python/issues/464#issuecomment-1960585674 > 1. Client sends id tokens and resource to the authorization server to get access token. > > 2. Client sends access tokens to access a resource. I think you describ

Re: [I] Support ID Tokens in Rest Catalog [iceberg-python]

flyrain commented on issue #464: URL: https://github.com/apache/iceberg-python/issues/464#issuecomment-1960559522 That's definitely true. That's actually what id token and access token are designed for. In that case, the authorization and authentication are separated calls. 1. Client se

Re: [I] Support ID Tokens in Rest Catalog [iceberg-python]

syun64 commented on issue #464: URL: https://github.com/apache/iceberg-python/issues/464#issuecomment-1960526232 My understanding is that when a backend client is talking to an API server, we should only support Client Credentials Flow or the direct use of access tokens. We are validating t

[I] Support ID Tokens in Rest Catalog [iceberg-python]

flyrain opened a new issue, #464: URL: https://github.com/apache/iceberg-python/issues/464 ### Feature Request / Improvement [ID Tokens](https://auth0.com/docs/secure/tokens/id-tokens) are commonly used in a scenario that a server combines authentication and authorization in a single