adutra opened a new pull request, #15704: URL: https://github.com/apache/iceberg/pull/15704
**Do not review this PR unless you are curious to get an early preview of Auth Manager v2 :-)** This PR encompasses the full scope of the AuthManager v2 effort, except support for human-to-machine grants (Authorization Code and Device Code), which will be introduced in a subsequent update. Cf. Auth Manager v2 [design document]. The goal is to provide complete overview of the planned changes for the curious reader. This PR is not meant to be merged as-is: smaller, incremental PRs will be opened later to introduce these changes gradually. **Key features of the new implementation:** - **Standards-compliant OAuth2/OIDC support** with proper client authentication methods (`client_secret_basic`, `client_secret_post`, `none`) - **OpenID Connect Discovery** for automatic endpoint resolution via `issuer-url` - **Token Exchange** support (RFC 8693) and **Refresh Token** flows - **Custom token endpoint parameters** (e.g. Auth0 `audience` via `rest.auth.oauth2.extra-params.*`) - **Automatic background token refresh** - **Automatic migration** of legacy property names with deprecation warnings at runtime **Architecture:** - `oauth2/` — Core classes: `OAuth2Manager`, `OAuth2Session`, `OAuth2Runtime`, `OAuth2Config` - `oauth2/config/` — Configuration model: `BasicConfig`, `TokenExchangeConfig`, `TokenRefreshConfig`, `ConfigMigrator`, `ConfigValidator` - `oauth2/flow/` — OAuth2 grant flows: `ClientCredentialsFlow`, `RefreshTokenFlow`, `TokenExchangeFlow`, `EndpointProvider` - `oauth2/client/` — Low-level `OAuth2Client` for HTTP token requests - `oauth2/http/` — `RESTClientAdapter` bridging Iceberg's `RESTClient` to the OAuth2 client **Deprecations:** - `org.apache.iceberg.rest.auth.OAuth2Manager` — deprecated, removal planned for 1.14.0 - `org.apache.iceberg.rest.auth.OAuth2Properties` — deprecated in favor of `OAuth2Config` - `org.apache.iceberg.rest.auth.OAuth2Util` — deprecated in favor of the new `OAuth2Manager` Other deprecations affect the REST layer (error handlers, etc.). **Docs:** Adds an OAuth2 configuration reference page (auto-generated from code) and a migration guide. **Tests:** ~11,000 lines of new tests including unit tests for all components with MockServer, and Keycloak-based integration tests. [design document]:https://docs.google.com/document/d/1Hxw-t8Maa7wZFmrlSujm7LRawKsFP3Q31tET_3aRnQU/edit -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
