Enable Extra-Credential Support for Iceberg Oauth Token & Credential

[git-rbanerjee]

Enable extra-credential support for Iceberg Oauth tokens or credentials so users can connect to Trino using their own OAuth tokens/credentials. This allows secure passthrough authentication from Trino to an Iceberg REST catalog (e.g., Polaris), aligning with modern security practices and user-managed token flows.

Problem of using iceberg.rest-catalog.session is described here.

Today, users need to configure credentials statically on the Trino side. With this feature, users will be able to bring their own time-limited credentials at query time.

Example session-level connection:

./trino \
  --server http://localhost:8080 \
  --extra-credential oauth_token="my1hrvalidtoken"

Example Connector Config

connector.name=iceberg
fs.native-s3.enabled=true
iceberg.catalog.type=rest
iceberg.rest-catalog.oauth2.credential=oauth_credential
iceberg.rest-catalog.oauth2.token=oauth_token
iceberg.rest-catalog.oauth2.scope=PRINCIPAL_ROLE\:admin
iceberg.rest-catalog.oauth2.server-uri=https://myorg/oauth/token
iceberg.rest-catalog.security=OAUTH2
iceberg.rest-catalog.uri=https://polaris/api/catalog
iceberg.rest-catalog.vended-credentials-enabled=true
iceberg.rest-catalog.warehouse=mywarehouse

[git-rbanerjee]

Even though there is some code

trino/plugin/trino-iceberg/src/main/java/io/trino/plugin/iceberg/catalog/rest/TrinoRestCatalog.java

Line 856 in c833da9

.putAll(session.getIdentity().getExtraCredentials())

which is using ExtraCredential but we cant send urn:ietf:params:oauth:token-type:access_token has header name as it contains colon in name.