Shohei Okumiya created HIVE-29276:
-------------------------------------
Summary: Support major OAuth 2 Authorization Server implementation
Key: HIVE-29276
URL: https://issues.apache.org/jira/browse/HIVE-29276
Project: Hive
Issue Type: Improvement
Components: Iceberg integration, Standalone Metastore
Reporter: Shohei Okumiya
HIVE-29020 added OAuth 2 support based on the latest best practice, such as
"RFC 9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens". Some real
IdPs don't follow some of the new best practices. In this ticket, we will
update the OAuth 2 configurations so that we can support major identity
platforms, such as Microsoft Entra ID or Okta.
For example, RFC 9068 recommends including `typ: at+jwt` in a JWT header so
that a malicious user can't inject a JWT that is not for OAuth 2 protected
resources. However, Okta's access tokens don't always have the type parameter
and there is no tuning knob to add it.
https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#id-token-header
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
