Hi Sander, In Apache Iceberg, the OAuth2 layer indeed only supports static tokens or a client ID/secret pair. The only supported grant type is client_credentials; the token exchange grant is reserved strictly for token refreshes, not for initial authentication.
I suspect that the Trino behavior you mentioned might be related to Trino's "iceberg.rest-catalog.session" property, specifically when it is set to "USER" [1]. In this configuration, Trino generates a JWT at catalog initialization, and uses the token exchange grant to exchange that JWT against another token [2]. However, this feature is poorly documented and has recently been reported by users as being complicated to set up correctly [3]. The exchange looks like a home-grown client assertion, but it's not configurable, and I suspect it doesn't work well with some IDPs. For more information on the Trino specifics, your best bet might be to reach out directly to the Trino mailing list or Slack channel. Hope that helps. Thanks, Alex [1]: https://trino.io/docs/current/object-storage/metastores.html#iceberg-specific-metastores [2]: https://github.com/trinodb/trino/blob/38406672349c33d4902bca7a5ebd380b6b382802/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/catalog/rest/TrinoRestCatalog.java#L484-L510 [3]: https://github.com/trinodb/trino/issues/26320 On Mon, Feb 16, 2026 at 5:03 PM Sander Bylemans <[email protected]> wrote: > > Hey all, > > Currently looking into integrating Iceberg into our dataplatform setup. > However, I'm experiencing some issues with oauth2 integration, specifically > with Trino. I would like Trino to pass a JWT to the Iceberg catalog I'm > using, or use the exchange-token flow, to enable true multi tenancy. However > when I'm looking at the apache implementation of this, it expects a static > token or a credential. The exchange flow is implemented but it is unclear to > me how one would configure a RestSessionCatalog that would use that flow... > > Is that something that is broken? I have found several discussion / PR's > regarding this topic: > - https://github.com/apache/iceberg/issues/12196 > - https://github.com/apache/iceberg/pull/12362 > - https://lists.apache.org/thread/j49320100wtpp15dv197fdjqw2hwl91j > > Thanks for the info! > > Kind regards
