feat(rest): add OAuth2 token refresh#801
Open
lovromazgon wants to merge 3 commits intoapache:mainfrom
Open
Conversation
Rework the REST catalog OAuth2 auth to cache tokens and refresh them lazily before expiry, avoiding failed requests due to stale tokens. The refresh chain follows the Iceberg REST spec: token exchange → exchange with Basic auth → refresh_token grant → client_credentials. Auth failures (401/403/419) trigger a forced refresh and single retry that re-applies headers and re-signs SigV4 requests. Add WithAudience and WithResource catalog options, sent on token exchange requests per the spec.
lovromazgon
commented
Mar 18, 2026
Comment on lines
+44
to
+58
| type AuthHeaderContext interface { | ||
| AuthHeaderCtx(ctx context.Context) (string, string, error) | ||
| } | ||
|
|
||
| // AuthRefresher is an optional interface that an AuthManager may implement | ||
| // to support refreshing credentials when authentication fails. When the | ||
| // session transport receives a 401, 403, or 419 response and the auth | ||
| // manager implements this interface, it will call RefreshAuth and retry | ||
| // the request once with the new credentials. | ||
| type AuthRefresher interface { | ||
| // RefreshAuth forces a credential refresh, discarding any cached | ||
| // tokens. After a successful refresh, AuthHeader will return the | ||
| // new credentials. | ||
| RefreshAuth(ctx context.Context) error | ||
| } |
Contributor
Author
There was a problem hiding this comment.
Note that the AuthHeaderContext and AuthRefresher interfaces were added simply to keep AuthManager backward compatible. However, if the maintainers are open to changing AuthManager I could collapse the other interfaces into it and simplify the code a bit.
Contributor
Author
|
@rockwotj oh man, that's what I get for not opening an issue first and coordinating. It's the end of my day so I can have a look at the other PRs tomorrow to see how my changes fit in, if at all. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rework the REST catalog OAuth2 auth to cache tokens and refresh them lazily before expiry, avoiding failed requests due to stale tokens.
The refresh chain follows the Iceberg REST spec: token exchange → exchange with Basic auth → refresh_token grant → client_credentials. Auth failures (401/403/419) trigger a forced refresh and single retry that re-applies headers and re-signs SigV4 requests.
Add
WithAudienceandWithResourcecatalog options, sent on token exchange requests per the spec.