ebyhr commented on code in PR #17148:
URL: https://github.com/apache/iceberg/pull/17148#discussion_r3568964311
##########
core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java:
##########
@@ -657,10 +658,14 @@ public static AuthSession fromCredential(
String credential,
AuthSession parent) {
long startTimeMillis = System.currentTimeMillis();
+ Map<String, String> headers =
+ parent.config().skipInheritedAuthHeaderInTokenRequest()
+ ? Maps.filterKeys(parent.headers(), key ->
!AUTHORIZATION_HEADER.equals(key))
Review Comment:
nit: We could use `equalsIgnoreCase` just in case. Future code could add
Authorization header with different casing.
##########
core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Properties.java:
##########
@@ -64,6 +64,16 @@ private OAuth2Properties() {}
/** Optional param resource for OAuth2. */
public static final String RESOURCE = "resource";
+ /**
+ * When enabled, the Authorization header inherited from the parent session
is not forwarded when
+ * fetching a new token via the client credentials flow. This prevents
strict identity providers
+ * from rejecting the token request due to using multiple authentication
methods.
+ */
+ public static final String SKIP_INHERITED_AUTH_HEADER_IN_TOKEN_REQUEST =
+ "skip-inherited-auth-header-in-token-request";
Review Comment:
Can we add this property to `OAuth2 auth properties` in
https://github.com/apache/iceberg/blob/main/docs/docs/catalog-properties.md?
##########
core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java:
##########
Review Comment:
This line also passes `parent.headers()` directly. Is it an oversight or
intentional?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]