adutra commented on code in PR #15703: URL: https://github.com/apache/iceberg/pull/15703#discussion_r3269844242
########## core/src/main/java/org/apache/iceberg/rest/auth/oauth2/BasicConfig.java: ########## @@ -0,0 +1,284 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.iceberg.rest.auth.oauth2.config; + +import com.nimbusds.oauth2.sdk.GrantType; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.AccessToken; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import java.net.URI; +import java.time.Duration; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.stream.Collectors; +import org.apache.iceberg.rest.RESTUtil; +import org.apache.iceberg.rest.auth.oauth2.OAuth2Config; +import org.immutables.value.Value; + +/** + * Basic OAuth2 properties. These properties are used to configure the basic OAuth2 options such as + * the issuer URL, token endpoint, client ID, and client secret. + */ [email protected] [email protected](redactedMask = "****") +@SuppressWarnings({"ImmutablesStyle", "SafeLoggingPropagation"}) +public interface BasicConfig { + + String PREFIX = OAuth2Config.PREFIX; + + String TOKEN = PREFIX + "token"; + String ISSUER_URL = PREFIX + "issuer-url"; + String TOKEN_ENDPOINT = PREFIX + "token-endpoint"; + String GRANT_TYPE = PREFIX + "grant-type"; + String CLIENT_ID = PREFIX + "client-id"; + String CLIENT_AUTH = PREFIX + "client-auth"; + String CLIENT_SECRET = PREFIX + "client-secret"; + String SCOPE = PREFIX + "scope"; + String EXTRA_PARAMS = PREFIX + "extra-params"; + String SESSION_CACHE_TIMEOUT = PREFIX + "session-cache.timeout"; + + GrantType DEFAULT_GRANT_TYPE = GrantType.CLIENT_CREDENTIALS; + ClientAuthenticationMethod DEFAULT_CLIENT_AUTH = ClientAuthenticationMethod.CLIENT_SECRET_BASIC; + Duration DEFAULT_SESSION_CACHE_TIMEOUT = Duration.parse("PT1H"); + + /** + * The initial access token to use. Optional. If this is set, the OAuth2 client will not attempt + * to fetch an initial token from the Authorization server, but will use this token instead. + * + * <p>This option should be avoided as in most cases, the token cannot be refreshed. + */ + @Value.Redacted + Optional<AccessToken> token(); + + /** + * The root URL of the Authorization server, which will be used for discovering supported + * endpoints and their locations. For Keycloak, this is typically the realm URL: {@code + * https://<keycloak-server>/realms/<realm-name>}. + * + * <p>Two "well-known" paths are supported for endpoint discovery: {@code + * .well-known/openid-configuration} and {@code .well-known/oauth-authorization-server}. The full + * metadata discovery URL will be constructed by appending these paths to the issuer URL. + * + * <p>Unless a {@linkplain #TOKEN static token} is provided, either this property or {@link + * #TOKEN_ENDPOINT} must be set. + * + * @see <a + * href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata";>OpenID + * Connect Discovery 1.0</a> + * @see <a href="https://tools.ietf.org/html/rfc8414#section-5";>RFC 8414 Section 5</a> + */ + Optional<URI> issuerUrl(); + + /** + * URL of the OAuth2 token endpoint. For Keycloak, this is typically {@code + * https://<keycloak-server>/realms/<realm-name>/protocol/openid-connect/token}. + * + * <p>Unless a {@linkplain #TOKEN static token} is provided, either this property or {@link + * #ISSUER_URL} must be set. In case it is not set, the token endpoint will be discovered from the + * {@link #ISSUER_URL issuer URL}, using the OpenID Connect Discovery metadata published by the + * issuer. + */ + Optional<URI> tokenEndpoint(); + + /** + * The grant type to use when authenticating against the OAuth2 server. Valid values are: + * + * <ul> + * <li>{@link GrantType#CLIENT_CREDENTIALS client_credentials} + * <li>{@link GrantType#TOKEN_EXCHANGE urn:ietf:params:oauth:grant-type:token-exchange} + * </ul> + * + * Optional, defaults to {@link #DEFAULT_GRANT_TYPE}. Review Comment: FYI I revisited some of the method javadocs and removed the word "optional" when it was misleading. Let me know if that's better. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
