Dear everyone, the Iceberg REST specification allows for different ways of Authentication, OAuth2 is one of them. Until recently the OAuth2 /token endpoint was part of the REST-spec together with datatypes required for the client-credential flow. Both have since been removed from the spec for security reasons [2].
Probably because it was a part of the spec before, clients today typically only implement the client-credential flow. This stays behind OAuth2 capabilities and is unsuitable for human users. Common IdPs do not implement the client-credential flow for principals of human users for good reasons. To mitigate this problem, we propose an extension of the Iceberg documentation in 3 steps. This proposal is neither an extension of the Iceberg REST Catalog specification nor OAuth2 itself. The Iceberg REST specification already specifies OAuth2 Authentication [3], which includes all the flows mentioned in the document of this proposal [1]. My proposal to go forward is as follows: 1. Use this proposals Google Doc for alignment in the community: [1] https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing Discuss in a catalog sync in 1-2 weeks. 2. Condense consensus found in Google Doc to .md and add it to docs 3. Implement additional flows in the iceberg-(java, python, rust ..) packages. For Java there is already a PR that goes in this direction which could use some more attention: https://github.com/apache/iceberg/pull/10753 For other languages I am not aware of any initiatives. 4. Encourage clients to allow configuration of new flows for users Any feedback welcome! Thanks - Christian [1]: https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing [2]: https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ [3]: https://github.com/apache/iceberg/blob/ed73ec43dd25c9023069ea1d3381a6d9229be53a/open-api/rest-catalog-open-api.yaml#L61
