adutra commented on code in PR #17148: URL: https://github.com/apache/iceberg/pull/17148#discussion_r3603659585
########## core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java: ########## Review Comment: I would NOT change this line. Here we are exchanging a catalog-vended OAuth2 token against another OAuth2 token. The problem is that this token exchange is not a standard OAuth2 flow, because the request does not contain a client ID and a client authentication method. As a consequence, the only way to identify the client issuing the request is to include an `Authorization` header containing the parent session's current token. This isn't OAuth2-compliant, of course, but that's how it was designed. If you remove that header, catalog servers that understand this non-standard token exchange would be unable to authenticate the client and would return an error. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
