Thanks Christian. Nice write-up! Authentication is essential to a production env. It's great to document it well given a lot of people don't necessarily have enough OAthen2 knowledge. Looking forward to the doc PRs and other client side changes.
Yufei On Wed, Sep 18, 2024 at 8:31 AM Dmitri Bourlatchkov <dmitri.bourlatch...@dremio.com.invalid> wrote: > Hi Christian, > > Very nice proposal. Thanks for putting it together! I added some comments > to the doc. > > I think it is related to PR #10753 [4], which proposes some foundational > refactoring to the java REST client to enable further enhancements in > OAuth2 flows. > > Cheers, > Dmitri. > > [4] https://github.com/apache/iceberg/pull/10753 > > On Wed, Sep 18, 2024 at 4:12 AM Christian Thiel > <christ...@hansetag.com.invalid> wrote: > >> Dear everyone, >> >> >> the Iceberg REST specification allows for different ways of >> Authentication, OAuth2 is one of them. Until recently the OAuth2 /token >> endpoint was part of the REST-spec together with datatypes required for the >> client-credential flow. Both have since been removed from the spec for >> security reasons [2]. >> >> Probably because it was a part of the spec before, clients today >> typically only implement the client-credential flow. This stays behind >> OAuth2 capabilities and is unsuitable for human users. Common IdPs do not >> implement the client-credential flow for principals of human users for good >> reasons. >> >> >> >> To mitigate this problem, we propose an extension of the Iceberg >> documentation in 3 steps. This proposal is neither an extension of the >> Iceberg REST Catalog specification nor OAuth2 itself. The Iceberg REST >> specification already specifies OAuth2 Authentication [3], which includes >> all the flows mentioned in the document of this proposal [1]. >> >> >> >> My proposal to go forward is as follows: >> >> 1. Use this proposals Google Doc for alignment in the community: [1] >> >> >> https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing >> Discuss in a catalog sync in 1-2 weeks. >> 2. Condense consensus found in Google Doc to .md and add it to docs >> 3. Implement additional flows in the iceberg-(java, python, rust ..) >> packages. >> For Java there is already a PR that goes in this direction which >> could use some more attention: >> https://github.com/apache/iceberg/pull/10753 >> For other languages I am not aware of any initiatives. >> 4. Encourage clients to allow configuration of new flows for users >> >> Any feedback welcome! >> >> Thanks >> - Christian >> >> [1]: >> https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing >> [2]: >> https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ >> >> [3]: >> https://github.com/apache/iceberg/blob/ed73ec43dd25c9023069ea1d3381a6d9229be53a/open-api/rest-catalog-open-api.yaml#L61 >> >> >> >
