Replace Deprecated (Current) OAuth2 Handling with AuthManager Implementation LegacyOAuth2AuthManager#1981
Merged
Fokko merged 5 commits intoapache:mainfrom May 16, 2025
Merged
Conversation
sungwy
changed the title
LegacyOAuth2AuthManager
Fokko
approved these changes
May 12, 2025
Comment on lines
+623
to
+624
| # LegacyOAuth2AuthManager is created twice through `_create_session()` | ||
| # which results in the token being refreshed twice when the RestCatalog is initialized. |
Collaborator
Author
There was a problem hiding this comment.
@Fokko Yeah I thought about this and this is my thought process for giving up on fixing this:
- This is the current behavior of the OAuth2 based token exchange workflow, where
_create_session()is called during init() and _fetch_config(). I think this is inherently okay, but the behavior of the current token fetcher is to refresh the token when_create_session()is called. In the future, we'd want to have an OAuth2AuthManager that refreshes the token through a background thread, and does this proactively by keeping track of the token expiration. - The reason this specific test seemingly behaved correctly before, is because of an unfortunate bug, where if the TOKEN and CLIENT_CREDENTIAL are both defined,
_create_sessiondoesn't fetch the token using the CLIENT_CREDENTIAL in the above two calls, but fetches the token using CLIENT_CREDENTIAL on retry - notice that the input parameter of the retry hook is missing the TOKEN value - Given that the current method of fetching tokens
LegacyOAuth2AuthManagerwill be deprecated, I thought it would be okay to try to improve this behavior
Contributor
There was a problem hiding this comment.
Got it, thanks for the clarification. Sounds good to change this until the LegacyManager will be deprecated 👍
Contributor
|
Looks good @sungwy left some small comments, but looks great 🙌 |
Contributor
|
Thanks @sungwy for driving this 🚀 |
amitgilad3
pushed a commit
to amitgilad3/iceberg-python
that referenced
this pull request
Jul 7, 2025
…ntation `LegacyOAuth2AuthManager` (apache#1981) <!-- Thanks for opening a pull request! --> <!-- In the case this PR will resolve an issue, please replace ${GITHUB_ISSUE_ID} below with the actual Github issue id. --> <!-- Closes apache#1909 --> # Rationale for this change Replace existing Auth handling with `LegacyOAuth2AuthManager`. Tracking issue: apache#1909 There will be follow up PRs to this PR that will address the following: - introduce a mechanism for using a custom `AuthManager` implementation, along with the ability to use a set of config parameters - introduce a `OAuth2AuthManager` that more closely follows the OAuth2 protocol, and also uses a separate thread to proactively refreshes the token, rather than reactively refreshing the token on `UnAuthorizedError` or the deprecated `AuthorizationExpiredError`. # Are these changes tested? Yes, both through unit and integration tests # Are there any user-facing changes? Yes - previously, if `TOKEN` and `CREDENTIAL` are both defined, `oauth/tokens` endpoint wouldn't be used to refresh the token with client credentials when the `RestCatalog` was initialized. However, `oauth/tokens` endpoint would be used on retries that handled 401 or 419 error. This erratic behavior will now be updated as follows: - if `CREDENTIAL` is defined, `oauth/tokens` endpoint will be used to fetch the access token using the client credentials both when the RestCatalog is initialized, and when the refresh_tokens call is made as a reaction to 401 or 419 error. - if both `CREDENTIAL` and `TOKEN` are defined, we will follow the above behavior. - if only `TOKEN` is defined, the initial token will be used instead <!-- In the case of user-facing changes, please add the changelog label. -->
gabeiglio
pushed a commit
to Netflix/iceberg-python
that referenced
this pull request
Aug 13, 2025
…ntation `LegacyOAuth2AuthManager` (apache#1981) <!-- Thanks for opening a pull request! --> <!-- In the case this PR will resolve an issue, please replace ${GITHUB_ISSUE_ID} below with the actual Github issue id. --> <!-- Closes apache#1909 --> # Rationale for this change Replace existing Auth handling with `LegacyOAuth2AuthManager`. Tracking issue: apache#1909 There will be follow up PRs to this PR that will address the following: - introduce a mechanism for using a custom `AuthManager` implementation, along with the ability to use a set of config parameters - introduce a `OAuth2AuthManager` that more closely follows the OAuth2 protocol, and also uses a separate thread to proactively refreshes the token, rather than reactively refreshing the token on `UnAuthorizedError` or the deprecated `AuthorizationExpiredError`. # Are these changes tested? Yes, both through unit and integration tests # Are there any user-facing changes? Yes - previously, if `TOKEN` and `CREDENTIAL` are both defined, `oauth/tokens` endpoint wouldn't be used to refresh the token with client credentials when the `RestCatalog` was initialized. However, `oauth/tokens` endpoint would be used on retries that handled 401 or 419 error. This erratic behavior will now be updated as follows: - if `CREDENTIAL` is defined, `oauth/tokens` endpoint will be used to fetch the access token using the client credentials both when the RestCatalog is initialized, and when the refresh_tokens call is made as a reaction to 401 or 419 error. - if both `CREDENTIAL` and `TOKEN` are defined, we will follow the above behavior. - if only `TOKEN` is defined, the initial token will be used instead <!-- In the case of user-facing changes, please add the changelog label. -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rationale for this change
Replace existing Auth handling with
LegacyOAuth2AuthManager. Tracking issue: #1909There will be follow up PRs to this PR that will address the following:
AuthManagerimplementation, along with the ability to use a set of config parametersOAuth2AuthManagerthat more closely follows the OAuth2 protocol, and also uses a separate thread to proactively refreshes the token, rather than reactively refreshing the token onUnAuthorizedErroror the deprecatedAuthorizationExpiredError.Are these changes tested?
Yes, both through unit and integration tests
Are there any user-facing changes?
Yes - previously, if
TOKENandCREDENTIALare both defined,oauth/tokensendpoint wouldn't be used to refresh the token with client credentials when theRestCatalogwas initialized. However,oauth/tokensendpoint would be used on retries that handled 401 or 419 error.This erratic behavior will now be updated as follows:
CREDENTIALis defined,oauth/tokensendpoint will be used to fetch the access token using the client credentials both when the RestCatalog is initialized, and when the refresh_tokens call is made as a reaction to 401 or 419 error.CREDENTIALandTOKENare defined, we will follow the above behavior.TOKENis defined, the initial token will be used instead