[
https://issues.apache.org/jira/browse/HIVE-29276?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shohei Okumiya reassigned HIVE-29276:
-------------------------------------
Assignee: Shohei Okumiya
> Support major OAuth 2 Authorization Server implementation
> ---------------------------------------------------------
>
> Key: HIVE-29276
> URL: https://issues.apache.org/jira/browse/HIVE-29276
> Project: Hive
> Issue Type: Improvement
> Components: Iceberg integration, Standalone Metastore
> Reporter: Shohei Okumiya
> Assignee: Shohei Okumiya
> Priority: Major
>
> HIVE-29020 added OAuth 2 support based on the latest best practice, such as
> "RFC 9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens". Some
> real IdPs don't follow some of the new best practices. In this ticket, we
> will update the OAuth 2 configurations so that we can support major identity
> platforms, such as Microsoft Entra ID or Okta.
>
> For example, RFC 9068 recommends including `typ: at+jwt` in a JWT header so
> that a malicious user can't inject a JWT that is not for OAuth 2 protected
> resources. However, Okta's access tokens don't always have the type parameter
> and there is no tuning knob to add it.
> https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#id-token-header
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
