Docs: Add REST catalog authentication properties (addresses - #13209)

docs/docs/configuration.md

@@ -143,6 +143,43 @@ The properties can be manually constructed or passed in from a compute engine li
 Spark uses its session properties as catalog properties, see more details in the [Spark configuration](spark-configuration.md#catalog-configuration) section.
 Flink passes in catalog properties through `CREATE CATALOG` statement, see more details in the [Flink](flink.md#adding-catalogs) section.
 
+### REST Catalog auth properties
+
+The following catalog properties configure authentication for the REST catalog.
+They support Basic, OAuth2, SigV4, and Google authentication.
+
+#### REST auth properties
+
+| Property                             | Default          | Description                                                                                                       |
+|--------------------------------------|------------------|-------------------------------------------------------------------------------------------------------------------|
+| `rest.auth.type`                     | `none`           | Authentication mechanism for REST catalog access. Supported values: `none`, `basic`, `oauth2`, `sigv4`, `google`. |
+| `rest.auth.basic.username`           | null             | Username for Basic authentication. Required if `rest.auth.type` = `basic`.                                        |
+| `rest.auth.basic.password`           | null             | Password for Basic authentication. Required if `rest.auth.type` = `basic`.                                        |
+| `rest.auth.sigv4.delegate-auth-type` | `oauth2`         | Auth type to delegate to after `sigv4` signing.                                                                   |
+
+#### OAuth2 auth properties
+Required and optional properties to include while using `oauth2` authentication
+
+| Property                | Default           | Description                                                                                                                                                           |
+|-------------------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `token`                 | null              | A Bearer token to interact with the server. Either `token` or `credential` is required.                                                                               |
+| `credential`            | null              | Credential string in the form of `client_id:client_secret` to exchange for a token in the OAuth2 client credentials flow. Either `token` or `credential` is required. |
+| `oauth2-server-uri`     | `v1/oauth/tokens` | OAuth2 token endpoint URI. Required if the REST catalog is not the OAuth2 authentication server.                                                                      |
+| `token-expires-in-ms`   | 3600000 (1 hour)  | Time in milliseconds after which a bearer token is considered expired. Used to decide when to refresh or re-exchange a token.                                         |
+| `token-refresh-enabled` | true              | Determines whether tokens are automatically refreshed when expiration details are available.                                                                          |
+| `token-exchange-enabled`| true              | Determines whether to use the token exchange flow to acquire new tokens. Disabling this will allow fallback to the client credential flow.                            |
+| `scope`                 | `catalog`         | Additional scope for `oauth2`.                                                                                                                                        |
+| `audience`              | null              | Optional param to specify token `audience`                                                                                                                            |
+| `resource`              | null              | Optional param to specify `resource`                                                                                                                                  |
+
+#### Google auth properties
+Required and optional properties to include while using `google` authentication
+
+| Property                   | Default                                          | Description                                      |
+|----------------------------|--------------------------------------------------|--------------------------------------------------|
+| `gcp.auth.credentials-path`| Application Default Credentials (ADC)            | Path to a service account JSON key file.         |
+| `gcp.auth.scopes`          | `https://www.googleapis.com/auth/cloud-platform` | Comma-separated list of OAuth scopes to request. |
+
 ### Lock catalog properties
 
 Here are the catalog properties related to locking. They are used by some catalog implementations to control the locking behavior during commits.