adutra commented on code in PR #17148:
URL: https://github.com/apache/iceberg/pull/17148#discussion_r3603659585


##########
core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java:
##########


Review Comment:
   I would NOT change this line. 
   
   Here we are exchanging a catalog-vended OAuth2 token against another OAuth2 
token.
   
   The problem is that this token exchange is not a standard OAuth2 flow, 
because the request does not contain a client ID and a client authentication 
method.
   
   As a consequence, the only way to identify the client issuing the request is 
to include an `Authorization` header containing the parent session's current 
token. This isn't OAuth2-compliant, of course, but that's how it was designed.
   
   If you remove that header, catalog servers that understand this non-standard 
token exchange would be unable to authenticate the client and would return an 
error.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to