flyrain opened a new issue, #479: URL: https://github.com/apache/iceberg-python/issues/479
### Feature Request / Improvement [OAuth Audience](https://www.ory.sh/docs/hydra/guides/audiences) helps to prevent unauthorized access to resources. When a resource server receives a token, it can validate that the token was indeed issued for it by checking the audience claim. If the audience claim does not match the identifier of the resource server, the token should be rejected. This prevents a situation where a token intended for one service is misused to access another. For example, the following request will get back a token with audience `rest-catalog`, so that the token will not be misused by other services. Other services can reject it by checking its audience. ``` curl --request POST \ --url https://xxx/oauth2/token \ --header 'Authorization: Basic xxx' \ --header 'content-type: multipart/form-data' \ --form grant_type=client_credentials \ --form audience=rest-catalog ``` I'd suggest to make it configurable. We will need the same change for Java client. cc @Fokko @danielcweeks @syun64 @RussellSpitzer @himadripal Related RFC: https://datatracker.ietf.org/doc/html/rfc8693#name-token-exchange-request-and- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
