adutra commented on issue #12363: URL: https://github.com/apache/iceberg/issues/12363#issuecomment-2676279732
@c-thiel about this part of your comment: > The second half of the problem is that Keycloak didn't implement the token exchange flow according to the RFC. Iceberg did. Iceberg uses the actor_token and actor_token_type fields to authenticate the exchange while Keycloak expects client_id and client_secret. So, here, I'm not sure I agree with you. Reading [RFC 8693 section 2.1](https://datatracker.ietf.org/doc/html/rfc8693/#section-2.1): > Client authentication to the authorization server is done using the normal mechanisms provided by OAuth 2.0. [Section 2.3.1](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) of [[RFC6749](https://datatracker.ietf.org/doc/html/rfc6749)] defines password-based authentication of the client, however, client authentication is extensible and other mechanisms are possible. So my understanding is that token exchange is no different from other flows defined in RFC 6749 wrt client authentication. In particular, the actor token is NOT meant to represent the client, but rather: > A security token that represents the identity of the acting party. Typically, this will be the party that is authorized to use the requested security token and act on behalf of the subject. So, in my opinion, Keycloak is rather correct here. It's Iceberg that is doing a malformed token exchange request. FYI Keycloak still considers token exchange in preview state. They have been collecting use cases for quite a while now under this issue, which is worth reading: https://github.com/keycloak/keycloak/discussions/26502 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
