Description
Apache Iceberg version
1.9.1 (latest release)
Query engine
Trino
Please describe the bug 🐞
Hi,
while trying to integrate Trino into the analytic stack at the company I work at I noticed there seems to be a faulty implementation of the client credentials OAuth2 flow. We use CAS for OpenID Connect https://apereo.github.io/cas/7.2.x/index.html
The client MUST NOT use more than one authentication method in each request.
However when debugging Trino I noticed that the Iceberg library calls OAuth2Manager#newSessionFromCredential which sends request to /token with parent session headers which has Authorization set with Bearer token. CAS treats such request as Bad request making Trino unusable with Iceberg with OAuth2 enabled. Maybe other OIDC providers don't follow this spec. CAS only accepts requests to /token with Authorization: Basic or without Authorization header at all.
Trino doesn't do anything extra than calling RESTSessionCatalog#listNamespaces(Session.SessionContext, Namespace) for example.
Tested on Trino 474, 475 and 476.
I'm not fluent with the Iceberg codebase but maybe adding code that would remove the Authorization: Bearer xxx header in OAuth2Manager#newSessionFromCredential method would work.
Willingness to contribute
- I can contribute a fix for this bug independently
- I would be willing to contribute a fix for this bug with guidance from the Iceberg community
- I cannot contribute a fix for this bug at this time