Hi Christian Nice document, thanks !
Definitely a great idea to "document" the OAuth2 flow. My only comment is that we should document the client side (what you are doing great in the doc), but also the server side (it might help to understand the full picture). I propose to have a group effort on the document with you. Thanks again ! Regards JB On Wed, Sep 18, 2024 at 10:11 AM Christian Thiel <christ...@hansetag.com.invalid> wrote: > > Dear everyone, > > > the Iceberg REST specification allows for different ways of Authentication, > OAuth2 is one of them. Until recently the OAuth2 /token endpoint was part of > the REST-spec together with datatypes required for the client-credential > flow. Both have since been removed from the spec for security reasons [2]. > > Probably because it was a part of the spec before, clients today typically > only implement the client-credential flow. This stays behind OAuth2 > capabilities and is unsuitable for human users. Common IdPs do not implement > the client-credential flow for principals of human users for good reasons. > > > > To mitigate this problem, we propose an extension of the Iceberg > documentation in 3 steps. This proposal is neither an extension of the > Iceberg REST Catalog specification nor OAuth2 itself. The Iceberg REST > specification already specifies OAuth2 Authentication [3], which includes all > the flows mentioned in the document of this proposal [1]. > > > > My proposal to go forward is as follows: > > Use this proposals Google Doc for alignment in the community: [1] > https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing > Discuss in a catalog sync in 1-2 weeks. > Condense consensus found in Google Doc to .md and add it to docs > Implement additional flows in the iceberg-(java, python, rust ..) packages. > For Java there is already a PR that goes in this direction which could use > some more attention: https://github.com/apache/iceberg/pull/10753 > For other languages I am not aware of any initiatives. > Encourage clients to allow configuration of new flows for users > > Any feedback welcome! > > Thanks > - Christian > > [1]: > https://docs.google.com/document/d/1A6bJfSzkTzDWUIegdckSsoaeFxZl1Qn5htI1jzyBQss/edit?usp=sharing > [2]: > https://docs.google.com/document/d/1Xi5MRk8WdBWFC3N_eSmVcrLhk3yu5nJ9x_wC0ec6kVQ > > [3]: > https://github.com/apache/iceberg/blob/ed73ec43dd25c9023069ea1d3381a6d9229be53a/open-api/rest-catalog-open-api.yaml#L61 > >
