rdblue commented on code in PR #4771:
URL: https://github.com/apache/iceberg/pull/4771#discussion_r874114263
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -1435,12 +1463,102 @@ components:
additionalProperties:
type: string
+ OAuthTokenRequest:
+ description:
+ OAuth2 client credentials or token exchange request
+
+
+ See -
+
+ - Client credentials flow -
https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
+
+ - Token exchange flow - https://datatracker.ietf.org/doc/html/rfc8693
+ type: object
+ required:
+ - grant_type
+ properties:
+ grant_type:
+ type: string
+ enum:
+ - client_credentials
+ - urn:ietf:params:oauth:grant-type:token-exchange
+ client_id:
+ type: string
+ description:
+ Client ID for client credentials flow.
+
+
+ This can be sent in the request body, but OAuth2 recomments
sending it in
+ a Basic Authorization header.
+ client_secret:
+ type: string
+ description:
+ Client secret for client credentials flow.
+
+
+ This can be sent in the request body, but OAuth2 recomments
sending it in
+ a Basic Authorization header.
+ subject_token:
+ type: string
+ description: Subject token for token exchange request
+ subject_token_type:
+ type: string
+ description: Subject token type for token exchange request
+ scope:
+ type: string
#############################
# Reusable Response Objects #
#############################
responses:
+ OAuthTokenResponse:
Review Comment:
It's a superset of the fields in section 5.1 so that we can use it for both
the client credentials and token exchange flows.
I just double-checked and it looks like the main problem is that
`issued_token_type` is marked as required, even though it won't be present for
client credentials. Is that what you were referring to? I'll make sure that
only the fields that are required in both are actually required here. I'll also
update each of these with a description so it is clear when they can or should
be set.
Do you know when `token_type` and `issued_token_type` would both be used for
token exchange? `issued_token_type` makes sense to me, but I'm not sure why
`token_type` wouldn't simply be the one that was issued.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
