AWS: Fix OAuth2 additional params inclusion

aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java

@@ -116,7 +116,7 @@ public String oauth2ServerUri() {
 
   @Value.Lazy
   public Map<String, String> optionalOAuthParams() {
-    return OAuth2Util.buildOptionalParam(properties());
+    return OAuth2Util.buildOptionalParam(properties(), SCOPE);
   }
 
   /** A Bearer token supplier which will be used for interaction with the server. */
@@ -166,10 +166,10 @@ AuthSession authSession() {
     ImmutableMap.Builder<String, String> properties =
         ImmutableMap.<String, String>builder()
             .putAll(properties())
-            .putAll(optionalOAuthParams())
             .put(OAuth2Properties.OAUTH2_SERVER_URI, oauth2ServerUri())
             .put(OAuth2Properties.TOKEN_REFRESH_ENABLED, String.valueOf(keepTokenRefreshed()))
-            .put(OAuth2Properties.SCOPE, SCOPE);
+            .put(OAuth2Properties.SCOPE, SCOPE)
+            .putAll(optionalOAuthParams());
     String token = token().get();
     if (null != token) {
       properties.put(OAuth2Properties.TOKEN, token);

aws/src/test/java/org/apache/iceberg/aws/s3/signer/TestS3V4RestSignerClient.java

@@ -65,6 +65,23 @@ static void beforeAll() {
             Mockito.any()))
         .thenReturn(
             OAuthTokenResponse.builder().withToken("token").withTokenType("Bearer").build());
+    when(S3V4RestSignerClient.httpClient.postForm(
+            Mockito.anyString(),
+            Mockito.eq(
+                Map.of(
+                    "grant_type",
+                    "client_credentials",
+                    "client_id",
+                    "user",
+                    "client_secret",
+                    "12345",
+                    "scope",
+                    "custom")),
+            Mockito.eq(OAuthTokenResponse.class),
+            Mockito.anyMap(),
+            Mockito.any()))
+        .thenReturn(
+            OAuthTokenResponse.builder().withToken("token").withTokenType("Bearer").build());
   }
 
   @AfterAll
@@ -133,6 +150,18 @@ public static Stream<Arguments> validOAuth2Properties() {
                 "token",
                 OAuth2Properties.CREDENTIAL,
                 "user:12345"),
+            "token"),
+        // Custom scope
+        Arguments.of(
+            Map.of(
+                S3_SIGNER_URI,
+                "https://signer.com",
+                AuthProperties.AUTH_TYPE,
+                AuthProperties.AUTH_TYPE_OAUTH2,
+                OAuth2Properties.CREDENTIAL,
+                "user:12345",
+                OAuth2Properties.SCOPE,
+                "custom"),
             "token"));
   }
 }

core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Util.java

@@ -132,15 +132,19 @@ public static String toScope(Iterable<String> scopes) {
   }
 
   public static Map<String, String> buildOptionalParam(Map<String, String> properties) {
+    return buildOptionalParam(properties, OAuth2Properties.CATALOG_SCOPE);
+  }
+
+  public static Map<String, String> buildOptionalParam(
+      Map<String, String> properties, String defaultScope) {
     // these are some options oauth params based on specification
     // for any new optional oauth param, define the constant and add the constant to this list
     Set<String> optionalParamKeys =
         ImmutableSet.of(OAuth2Properties.AUDIENCE, OAuth2Properties.RESOURCE);
     ImmutableMap.Builder<String, String> optionalParamBuilder = ImmutableMap.builder();
     // add scope too,
     optionalParamBuilder.put(
-        OAuth2Properties.SCOPE,
-        properties.getOrDefault(OAuth2Properties.SCOPE, OAuth2Properties.CATALOG_SCOPE));
+        OAuth2Properties.SCOPE, properties.getOrDefault(OAuth2Properties.SCOPE, defaultScope));
     // add all other parameters
     for (String key : optionalParamKeys) {
       String value = properties.get(key);