bharos commented on issue #10559:
URL: https://github.com/apache/gravitino/issues/10559#issuecomment-4158394256
I have tried a prototype implementation of the token proxy, for solving
trino auth and it works fine
I'm happy to collaborate on this as well if possible.
One things from what I observed during my implementation:
```
iceberg.rest-catalog.security=OAUTH2
iceberg.rest-catalog.session=USER
iceberg.rest-catalog.oauth2.server-uri=https://iceberg-token-proxy.dev.xyz.net/v1/oauth/tokens
iceberg.rest-catalog.oauth2.credential=${ENV:ICEBERG_OAUTH2_CREDENTIAL}
```
The trino server tries to authenticate itself first, using the service level
token (which is not per-user). This request also goes to the proxy-server.
Because there's only one config for `iceberg.rest-catalog.oauth2.server-uri`
you can't make those requests go to another OAuth server.
So what I did is to make the proxy server "forward" these requests to the
actual oauth server for these service level token requests from trino.
Then for the per-user requests to the /v1/config endpoint, the proxy server
will issue it's own generated token.
Also, because of the above, it looks like for my case, I need Gravitino
server to handle two kinds of tokens (one generated by the proxy, one from my
standard idp). So there's the related issue :
https://github.com/apache/gravitino/issues/10565
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
