Merge branch 'oauth2-manager' of https://github.com/sungwy/iceberg-python into oauth2-manager

sungwy · sungwy · commit b690f40f46a0 · 2025-08-14T02:36:59.000Z
diff --git a/mkdocs/docs/configuration.md b/mkdocs/docs/configuration.md
@@ -388,6 +388,8 @@ The RESTCatalog supports pluggable authentication via the `auth` configuration b
 
 - `noop`: No authentication (no Authorization header sent).
 - `basic`: HTTP Basic authentication.
+- `oauth2`: OAuth2 client credentials flow.
+- `legacyoauth2`: Legacy OAuth2 client credentials flow (Deprecated and will be removed in PyIceberg 1.0.0)
 - `custom`: Custom authentication manager (requires `auth.impl`).
 - `google`: Google Authentication support
 
@@ -411,9 +413,10 @@ catalog:
 
 | Property         | Required | Description                                                                                     |
 |------------------|----------|-------------------------------------------------------------------------------------------------|
-| `auth.type`      | Yes      | The authentication type to use (`noop`, `basic`, or `custom`).                       |
+| `auth.type`      | Yes      | The authentication type to use (`noop`, `basic`, `oauth2`, or `custom`).                       |
 | `auth.impl`      | Conditionally | The fully qualified class path for a custom AuthManager. Required if `auth.type` is `custom`. |
 | `auth.basic`     | If type is `basic` | Block containing `username` and `password` for HTTP Basic authentication.           |
+| `auth.oauth2`    | If type is `oauth2` | Block containing OAuth2 configuration (see below).                                 |
 | `auth.custom`    | If type is `custom` | Block containing configuration for the custom AuthManager.                          |
 | `auth.google`    | If type is `google` | Block containing `credentials_path` to a service account file (if using). Will default to using Application Default Credentials. |
 
@@ -436,6 +439,20 @@ auth:
     password: mypass
 ```
 
+OAuth2 Authentication:
+
+```yaml
+auth:
+  type: oauth2
+  oauth2:
+    client_id: my-client-id
+    client_secret: my-client-secret
+    token_url: https://auth.example.com/oauth/token
+    scope: read
+    refresh_margin: 60         # (optional) seconds before expiry to refresh
+    expires_in: 3600           # (optional) fallback if server does not provide
+```
+
 Custom Authentication:
 
 ```yaml
@@ -451,7 +468,7 @@ auth:
 
 - If `auth.type` is `custom`, you **must** specify `auth.impl` with the full class path to your custom AuthManager.
 - If `auth.type` is not `custom`, specifying `auth.impl` is not allowed.
-- The configuration block under each type (e.g., `basic`, `custom`) is passed as keyword arguments to the corresponding AuthManager.
+- The configuration block under each type (e.g., `basic`, `oauth2`, `custom`) is passed as keyword arguments to the corresponding AuthManager.
 
 <!-- markdown-link-check-enable-->
 
@@ -520,94 +537,6 @@ catalog:
     py-io-impl: pyiceberg.io.fsspec.FsspecFileIO
 ```
 
-#### Authentication in RESTCatalog
-
-The RESTCatalog supports pluggable authentication via the `auth` configuration block. This allows you to specify which how the access token will be fetched and managed for use with the HTTP requests to the RESTCatalog server. The authentication method is selected by setting the `auth.type` property, and additional configuration can be provided as needed for each method.
-
-##### Supported Authentication Types
-
-- `noop`: No authentication (no Authorization header sent).
-- `basic`: HTTP Basic authentication.
-- `oauth2`: OAuth2 client credentials flow.
-- `legacyoauth2`: Legacy OAuth2 client credentials flow (Deprecated and will be removed in PyIceberg 1.0.0)
-- `custom`: Custom authentication manager (requires `auth.impl`).
-
-##### Configuration Properties
-
-The `auth` block is structured as follows:
-
-```yaml
-catalog:
-  default:
-    type: rest
-    uri: http://rest-catalog/ws/
-    auth:
-      type: <auth_type>
-      <auth_type>:
-        # Type-specific configuration
-      impl: <custom_class_path>  # Only for custom auth
-```
-
-**Property Reference:**
-
-| Property         | Required | Description                                                                                     |
-|------------------|----------|-------------------------------------------------------------------------------------------------|
-| `auth.type`      | Yes      | The authentication type to use (`noop`, `basic`, `oauth2`, or `custom`).                       |
-| `auth.impl`      | Conditionally | The fully qualified class path for a custom AuthManager. Required if `auth.type` is `custom`. |
-| `auth.basic`     | If type is `basic` | Block containing `username` and `password` for HTTP Basic authentication.           |
-| `auth.oauth2`    | If type is `oauth2` | Block containing OAuth2 configuration (see below).                                 |
-| `auth.custom`    | If type is `custom` | Block containing configuration for the custom AuthManager.                          |
-
-##### Examples
-
-**No Authentication:**
-
-```yaml
-auth:
-  type: noop
-```
-
-**Basic Authentication:**
-
-```yaml
-auth:
-  type: basic
-  basic:
-    username: myuser
-    password: mypass
-```
-
-**OAuth2 Authentication:**
-
-```yaml
-auth:
-  type: oauth2
-  oauth2:
-    client_id: my-client-id
-    client_secret: my-client-secret
-    token_url: https://auth.example.com/oauth/token
-    scope: read
-    refresh_margin: 60         # (optional) seconds before expiry to refresh
-    expires_in: 3600           # (optional) fallback if server does not provide
-```
-
-**Custom Authentication:**
-
-```yaml
-auth:
-  type: custom
-  impl: mypackage.module.MyAuthManager
-  custom:
-    property1: value1
-    property2: value2
-```
-
-##### Notes
-
-- If `auth.type` is `custom`, you **must** specify `auth.impl` with the full class path to your custom AuthManager.
-- If `auth.type` is not `custom`, specifying `auth.impl` is not allowed.
-- The configuration block under each type (e.g., `basic`, `oauth2`, `custom`) is passed as keyword arguments to the corresponding AuthManager.
-
 ### SQL Catalog
 
 The SQL catalog requires a database for its backend. PyIceberg supports PostgreSQL and SQLite through psycopg2. The database connection has to be configured using the `uri` property. The init_catalog_tables is optional and defaults to True. If it is set to False, the catalog tables will not be created when the SQLCatalog is initialized. See SQLAlchemy's [documentation for URL format](https://docs.sqlalchemy.org/en/20/core/engines.html#backend-specific-urls):
diff --git a/pyiceberg/catalog/rest/auth.py b/pyiceberg/catalog/rest/auth.py
@@ -175,7 +175,7 @@ def _refresh_token(self) -> None:
         expires_in = result.get("expires_in", self.expires_in)
         if expires_in is None:
             raise ValueError(
-                "The expiration time of the Token must be provided by the Server in the Access Token Response in `expired_in` field, or by the PyIceberg Client."
+                "The expiration time of the Token must be provided by the Server in the Access Token Response in `expires_in` field, or by the PyIceberg Client."
             )
         self._expires_at = time.time() + expires_in - self.refresh_margin
 

Original file line number	Diff line number	Diff line change
`@@ -175,7 +175,7 @@ def _refresh_token(self) -> None:`
`175`	`175`	`expires_in = result.get("expires_in", self.expires_in)`
`176`	`176`	`if expires_in is None:`
`177`	`177`	`raise ValueError(`
`178`		- "The expiration time of the Token must be provided by the Server in the Access Token Response in `expired_in` field, or by the PyIceberg Client."
	`178`	+ "The expiration time of the Token must be provided by the Server in the Access Token Response in `expires_in` field, or by the PyIceberg Client."
`179`	`179`	`)`
`180`	`180`	`self._expires_at = time.time() + expires_in - self.refresh_margin`
`181`	`181`