Conversation
kevinjqliu
left a comment
kevinjqliu
left a comment
There was a problem hiding this comment.
Generally LGTM, a few nit comments. Lets get #2055 merged and then rebase this PR
| return self._token | ||
|
|
||
|
|
||
| class OAuth2AuthManager(AuthManager): |
There was a problem hiding this comment.
do we have any tests for LegacyOAuth2AuthManager? do we want OAuth2AuthManager to be feature parity in this first release?
There was a problem hiding this comment.
i dont see credential, resource, and audience
iceberg-python/mkdocs/docs/configuration.md
Lines 368 to 371 in 4cac691
There was a problem hiding this comment.
we are using client_id and client_secret instead in the current implementation, as opposed to credential. This is also currently in draft mode, and I intend to review OAuth2 spec a little bit more in depth and other industry standard implementations before finalizing the implementation.
There was a problem hiding this comment.
I researched the IETF RFCs on OAuth closely, and my understanding is that resource and audience parameters were introduced in subsequent RFCs as supplemental parameters. What do you think about merging this version of the OAuth2AuthManager that closely follows the initial RFC6749 and introducing those as followup PRs?
There was a problem hiding this comment.
make sense! thanks for looking into it
|
i took the liberty to merge main :) |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new OAuth2Manager implementation that more closely follows RFC6749 standards, replacing the legacy OAuth2 implementation. The new implementation includes proactive token refresh capabilities based on expiration times.
- Adds a new OAuth2AuthManager with RFC6749-compliant implementation
- Introduces thread-safe OAuth2TokenProvider for token management with automatic refresh
- Updates documentation to reflect the new oauth2 auth type and deprecates legacyoauth2
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pyiceberg/catalog/rest/auth.py | Implements OAuth2TokenProvider and OAuth2AuthManager classes with thread-safe token refresh |
| tests/catalog/test_rest.py | Adds integration test for the new oauth2 authentication type |
| mkdocs/docs/configuration.md | Updates documentation to include oauth2 configuration and marks legacyoauth2 as deprecated |
kevinjqliu
left a comment
kevinjqliu
left a comment
There was a problem hiding this comment.
LGTM!
With this change,
data = {
"grant_type": "client_credentials"
}
I was able to verify locally with Microsoft Entra, which is also an Oauth2 provider :)
| return self._token | ||
|
|
||
|
|
||
| class OAuth2AuthManager(AuthManager): |
There was a problem hiding this comment.
make sense! thanks for looking into it
Co-authored-by: Kevin Liu <kevinjqliu@users.noreply.github.com>
Co-authored-by: Kevin Liu <kevinjqliu@users.noreply.github.com>
|
merging this, i verified locally with an oauth2 server. Thanks @sungwy for the PR! And thanks everyone for the review |
4 participants
Rationale for this change
New OAuth2Manager implementation that makes use of AuthManager and more closely follows https://datatracker.ietf.org/doc/html/rfc6749 recommendations. It injects the encoded secret into the
Basicheader against the authentication server, as recommended by the RFC instead of injecting it into the request body, which is less secure.Proactively refreshes the access token by checking the expiration.
Are these changes tested?
Yes, both in unit and integration tests.
Are there any user-facing changes?
No, this is a new feature.