apache · flyrain · Mar 11, 2024 · Feb 29, 2024 · Feb 29, 2024 · Feb 29, 2024
diff --git a/aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java b/aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java
@@ -118,6 +118,11 @@ public String oauth2ServerUri() {
     return properties().getOrDefault(OAuth2Properties.OAUTH2_SERVER_URI, ResourcePaths.tokens());
   }
 
+  @Value.Lazy
+  public Map<String, String> optionalOAuthParams() {
+    return OAuth2Util.buildOptionalParam(properties());
+  }
+
   /** A Bearer token supplier which will be used for interaction with the server. */
   @Value.Default
   public Supplier<String> token() {
@@ -207,7 +212,13 @@ private AuthSession authSession() {
                       token,
                       expiresAtMillis(properties()),
                       new AuthSession(
-                          ImmutableMap.of(), token, null, credential(), SCOPE, oauth2ServerUri())));
+                          ImmutableMap.of(),
+                          token,
+                          null,
+                          credential(),
+                          SCOPE,
+                          oauth2ServerUri(),
+                          optionalOAuthParams())));
     }
 
     if (credentialProvided()) {
@@ -217,11 +228,22 @@ private AuthSession authSession() {
               id -> {
                 AuthSession session =
                     new AuthSession(
-                        ImmutableMap.of(), null, null, credential(), SCOPE, oauth2ServerUri());
+                        ImmutableMap.of(),
+                        null,
+                        null,
+                        credential(),
+                        SCOPE,
+                        oauth2ServerUri(),
+                        optionalOAuthParams());
                 long startTimeMillis = System.currentTimeMillis();
                 OAuthTokenResponse authResponse =
                     OAuth2Util.fetchToken(
-                        httpClient(), session.headers(), credential(), SCOPE, oauth2ServerUri());
+                        httpClient(),
+                        session.headers(),
+                        credential(),
+                        SCOPE,
+                        oauth2ServerUri(),
+                        optionalOAuthParams());
                 return AuthSession.fromTokenResponse(
                     httpClient(), tokenRefreshExecutor(), authResponse, startTimeMillis, session);
               });

diff --git a/core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java b/core/src/main/java/org/apache/iceberg/rest/RESTSessionCatalog.java
@@ -179,14 +179,16 @@ public void initialize(String name, Map<String, String> unresolved) {
     OAuthTokenResponse authResponse;
     String credential = props.get(OAuth2Properties.CREDENTIAL);
     String scope = props.getOrDefault(OAuth2Properties.SCOPE, OAuth2Properties.CATALOG_SCOPE);
+    Map<String, String> optionalOAuthParams = OAuth2Util.buildOptionalParam(props);
     String oauth2ServerUri =
         props.getOrDefault(OAuth2Properties.OAUTH2_SERVER_URI, ResourcePaths.tokens());
     try (RESTClient initClient = clientBuilder.apply(props)) {
       Map<String, String> initHeaders =
           RESTUtil.merge(configHeaders(props), OAuth2Util.authHeaders(initToken));
       if (credential != null && !credential.isEmpty()) {
         authResponse =
-            OAuth2Util.fetchToken(initClient, initHeaders, credential, scope, oauth2ServerUri);
+            OAuth2Util.fetchToken(
+                initClient, initHeaders, credential, scope, oauth2ServerUri, optionalOAuthParams);
         Map<String, String> authHeaders =
             RESTUtil.merge(initHeaders, OAuth2Util.authHeaders(authResponse.token()));
         config = fetchConfig(initClient, authHeaders, props);
@@ -213,7 +215,9 @@ public void initialize(String name, Map<String, String> unresolved) {
     this.paths = ResourcePaths.forCatalogProperties(mergedProps);
 
     String token = mergedProps.get(OAuth2Properties.TOKEN);
-    this.catalogAuth = new AuthSession(baseHeaders, null, null, credential, scope, oauth2ServerUri);
+    this.catalogAuth =
+        new AuthSession(
+            baseHeaders, null, null, credential, scope, oauth2ServerUri, optionalOAuthParams);
     if (authResponse != null) {
       this.catalogAuth =
           AuthSession.fromTokenResponse(

diff --git a/core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Properties.java b/core/src/main/java/org/apache/iceberg/rest/auth/OAuth2Properties.java
@@ -49,6 +49,12 @@ private OAuth2Properties() {}
   /** Additional scope for OAuth2. */
   public static final String SCOPE = "scope";
 
+  /** Optional param audience for OAuth2. */
+  public static final String AUDIENCE = "audience";
+
+  /** Optional param resource for OAuth2. */
+  public static final String RESOURCE = "resource";
+
   /** Scope for OAuth2 flows. */
   public static final String CATALOG_SCOPE = "catalog";