Hi all, I'd like to propose enhancing the AuthManager API to support HTTP authentication challenges.
Challenges are a crucial part of HTTP authentication: WWW-Authenticate response headers *must* be sent by the server with a 401 (Unauthorized) HTTP response. And yet, the Iceberg REST client currently ignores them, and surfaces the 401 response as an error to the caller. This enhancement is important because authentication failures can occur at any moment. For example, an OAuth2 token that was valid at the time of the request might be manually revoked by the authorization server by the time the server processes the request, resulting in a 401 response. I think we could introduce a mechanism in the AuthSession interface to give it a chance to process the challenge, and maybe re-authenticate the client if possible. (What "re-authenticate" means depends on the auth scheme being used – it may not be always possible). If there's interest in this idea, I'm happy to provide an implementation for OAuth2. (Please note: This proposal is separate from the OAuth2 AuthManager donation / enhancements discussed in another email thread.) Thanks, Alex
