Hi Christian, Very nice proposal. Thanks for putting it together! I added some comments to the doc.
I think it is related to PR #10753 [4], which proposes some foundational refactoring to the java REST client to enable further enhancements in OAuth2 flows. Cheers, Dmitri. [4] https://github.com/apache/iceberg/pull/10753 On Wed, Sep 18, 2024 at 4:12 AM Christian Thiel <christ...@hansetag.com.invalid> wrote: > Dear everyone, > > > the Iceberg REST specification allows for different ways of > Authentication, OAuth2 is one of them. Until recently the OAuth2 /token > endpoint was part of the REST-spec together with datatypes required for the > client-credential flow. Both have since been removed from the spec for > security reasons [2]. > > Probably because it was a part of the spec before, clients today typically > only implement the client-credential flow. This stays behind OAuth2 > capabilities and is unsuitable for human users. Common IdPs do not > implement the client-credential flow for principals of human users for good > reasons. > > > > To mitigate this problem, we propose an extension of the Iceberg > documentation in 3 steps. This proposal is neither an extension of the > Iceberg REST Catalog specification nor OAuth2 itself. The Iceberg REST > specification already specifies OAuth2 Authentication [3], which includes > all the flows mentioned in the document of this proposal [1]. > > > > My proposal to go forward is as follows: > > 1. Use this proposals Google Doc for alignment in the community: [1] > > > https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing > Discuss in a catalog sync in 1-2 weeks. > 2. Condense consensus found in Google Doc to .md and add it to docs > 3. Implement additional flows in the iceberg-(java, python, rust ..) > packages. > For Java there is already a PR that goes in this direction which could > use some more attention: https://github.com/apache/iceberg/pull/10753 > For other languages I am not aware of any initiatives. > 4. Encourage clients to allow configuration of new flows for users > > Any feedback welcome! > > Thanks > - Christian > > [1]: > https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing > [2]: > https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ > > [3]: > https://github.com/apache/iceberg/blob/ed73ec43dd25c9023069ea1d3381a6d9229be53a/open-api/rest-catalog-open-api.yaml#L61 > > >
