enabling oauth flow in pyiceberg for service users

Author: AlexMercedCoder

docs/features/pyiceberg_testing.md

@@ -144,20 +144,36 @@ Pangolin supports both **OAuth 2.0** and **Basic Authentication**.
 
 > **Note**: For detailed configuration of OAuth providers (Google, GitHub, etc.), please see [Authentication](../authentication.md).
 
-### Option 1: Using an OAuth Token (Recommended)
+### Option 1: Standard OAuth2 (Recommended for Production)
+The most secure way to authenticate scripts and services is using the standard OAuth2 client credentials flow with a Service User.
 
-After logging in via the UI/OAuth flow, you can use your JWT token directly.
+```python
+from pyiceberg.catalog import load_catalog
+
+catalog = load_catalog(
+    "pangolin",
+    **{
+        "uri": "http://localhost:8080/api/v1/iceberg/default", 
+        "type": "rest",
+        "credential": "<service_user_id>:<service_user_api_key>",
+        "oauth2-server-uri": "http://localhost:8080/v1/rest/v1/oauth/tokens",
+    }
+)
+```
+
+### Option 2: Using an Existing Token (Temporary)
+
+If you have a JWT token from the UI or another login flow, you can use it directly.
 
 ```python
 from pyiceberg.catalog import load_catalog
 
 catalog = load_catalog(
     "pangolin",
     **{
-        "uri": "http://localhost:8080/iceberg/default", # 'default' is the catalog name
+        "uri": "http://localhost:8080/api/v1/iceberg/default",
         "type": "rest",
-        "token": "YOUR_JWT_TOKEN",            # Token from UI or OAuth callback
-        # No S3 keys needed if Credential Vending is active
+        "token": "YOUR_JWT_TOKEN",            # Token from UI or Login
     }
 )
 ```

docs/features/service_users.md

@@ -38,19 +38,31 @@ curl -H "X-API-Key: pgl_YOUR_SECRET_KEY" \
      https://your-pangolin-api.com/api/v1/catalogs
 ```
 
-### Integration: PyIceberg
+### Integration: PyIceberg (Standard OAuth2)
+PyIceberg supports standard OAuth2, which is the recommended way to use Service Users.
+
 ```python
 from pyiceberg.catalog import load_catalog
 
 catalog = load_catalog(
     "pangolin",
     **{
-        "uri": "https://api.pangolin.io",
-        "header.X-API-Key": "pgl_YOUR_SECRET_KEY",
+        "uri": "https://api.pangolin.io/api/v1/iceberg/default",
+        "credential": "<service_user_uuid>:<api_key>",
+        "oauth2-server-uri": "https://api.pangolin.io/v1/rest/v1/oauth/tokens",
+        "type": "rest",
     }
 )
 ```
 
+### Integration: Custom Clients (X-API-Key)
+For simple HTTP clients that don't support OAuth2, you can use the header:
+```python
+import requests
+headers = {"X-API-Key": "pgl_YOUR_SECRET_KEY"}
+response = requests.get("https://api.pangolin.io/api/v1/catalogs", headers=headers)
+```
+
 ---
 
 ## 🚦 Best Practices

pangolin/Cargo.lock

@@ -173,7 +173,8 @@ pub async fn auth_middleware(
        path == "/v1/config" || 
        path.ends_with("/config") ||
        path.starts_with("/oauth/authorize/") ||
-       path.starts_with("/oauth/callback/") {
+       path.starts_with("/oauth/callback/") ||
+       path.contains("/oauth/tokens") {
             return next.run(req).await;
     }
 
@@ -335,13 +336,16 @@ pub async fn auth_middleware_wrapper(
 
     // Whitelist public endpoints
     let path = req.uri().path();
+    tracing::error!("AUTH CHECK: Checking path '{}'", path);
+
     if path == "/health" ||
        path == "/api/v1/users/login" || 
        path == "/api/v1/app-config" || 
        path == "/v1/config" || 
        path.ends_with("/config") ||
        path.starts_with("/oauth/authorize/") ||
-       path.starts_with("/oauth/callback/") {
+       path.starts_with("/oauth/callback/") ||
+       path.contains("/oauth/tokens") {
             return next.run(req).await;
     }
 

pangolin/pangolin_api/src/auth_middleware.rs

@@ -13,6 +13,7 @@ use crate::federated_proxy::FederatedCatalogProxy;
 pub mod config;
 pub mod namespaces;
 pub mod tables;
+pub mod oauth;
 pub mod types;
 
 // Re-export types for convenience

pangolin/pangolin_api/src/iceberg/mod.rs

@@ -0,0 +1,116 @@
+use axum::{
+    extract::{State, Form},
+    response::{IntoResponse, Json},
+    http::StatusCode,
+};
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use pangolin_store::CatalogStore;
+// Removed Signer import as we implement signing locally
+use pangolin_core::user::{User, UserRole, UserSession, ServiceUser};
+use chrono::{Utc, Duration};
+use anyhow::Context;
+use uuid::Uuid;
+use bcrypt::verify;
+use jsonwebtoken::{encode, EncodingKey, Header};
+use crate::auth::Claims;
+
+// Internal imports
+use crate::error::ApiError;
+use crate::iceberg::AppState;
+
+#[derive(Deserialize)]
+pub struct OAuthTokenRequest {
+    grant_type: String,
+    client_id: String,
+    client_secret: String,
+    scope: Option<String>,
+}
+
+#[derive(Serialize)]
+pub struct OAuthTokenResponse {
+    access_token: String,
+    token_type: String,
+    expires_in: u64,
+    issued_token_type: String,
+}
+
+/// Handler for the standard OAuth2 client_credentials flow
+/// 
+/// This endpoint accepts `application/x-www-form-urlencoded` data
+/// to support standard libraries like PyIceberg/REST Catalog.
+/// 
+/// It maps:
+/// - `client_id` -> Service User ID (UUID)
+/// - `client_secret` -> Service User API Key
+/// 
+/// If valid, it returns a standard Pangolin JWT signed by the server key.
+pub async fn handle_oauth_token(
+    State(store): State<AppState>,
+    Form(payload): Form<OAuthTokenRequest>,
+) -> Result<impl IntoResponse, ApiError> {
+    // 1. Validate Grant Type
+    if payload.grant_type != "client_credentials" {
+        return Err(ApiError::bad_request("Unsupported grant_type. exact 'client_credentials' required."));
+    }
+
+    // 2. Parse Client ID as UUID
+    let service_user_id = Uuid::parse_str(&payload.client_id)
+        .map_err(|_| ApiError::bad_request("Invalid client_id format. Must be a valid UUID."))?;
+
+    // 3. Retrieve Service User
+    let store_ref = &*store;
+    let service_user_result: anyhow::Result<Option<ServiceUser>> = store_ref.get_service_user(service_user_id).await;
+    let service_user = service_user_result
+        .map_err(|e| ApiError::InternalError(e))?
+        .ok_or_else(|| ApiError::unauthorized("Invalid client_id"))?;
+
+    // 4. Verify Active Status
+    if !service_user.active {
+        return Err(ApiError::unauthorized("Client is inactive"));
+    }
+
+    // 5. Verify Secret (API Key)
+    // The stored hash is bcrypt
+    let valid_secret = verify(&payload.client_secret, &service_user.api_key_hash)
+        .map_err(|e| ApiError::InternalError(anyhow::anyhow!("Crypto failure: {}", e)))?;
+
+    if !valid_secret {
+        return Err(ApiError::unauthorized("Invalid client_secret"));
+    }
+    
+    // 6. Generate Session/Token
+    // We reuse the standard JWT generation logic used for users
+    let now = Utc::now();
+    let expires_in_seconds = 3600; // 1 hour default
+    let expires_at = now + Duration::seconds(expires_in_seconds as i64);
+
+    let token_id = Uuid::new_v4();
+    let secret = std::env::var("PANGOLIN_JWT_SECRET").unwrap_or_else(|_| "default_secret_for_dev".to_string());
+    
+    let claims = Claims {
+        sub: service_user.id.to_string(), 
+        jti: Some(token_id.to_string()),
+        username: service_user.name.clone(), 
+        tenant_id: Some(service_user.tenant_id.to_string()),
+        role: service_user.role.clone(), 
+        exp: expires_at.timestamp(),
+        iat: now.timestamp(),
+    };
+
+    // We need to sign this. 
+    let token = encode(&Header::default(), &claims, &EncodingKey::from_secret(secret.as_bytes()))
+        .map_err(|e| ApiError::InternalError(anyhow::anyhow!("Token generation failed: {}", e)))?;
+        
+    // 7. Update Last Used
+    // Best effort - don't fail auth if this fails
+    let _ = store_ref.update_service_user_last_used(service_user.id, now).await;
+
+    // 8. Return Response
+    Ok(Json(OAuthTokenResponse {
+        access_token: token,
+        token_type: "Bearer".to_string(),
+        expires_in: expires_in_seconds,
+        issued_token_type: "urn:ietf:params:oauth:token-type:access_token".to_string(),
+    }))
+}

pangolin/pangolin_api/src/iceberg/oauth.rs

@@ -97,6 +97,11 @@ pub fn app(store: Arc<dyn CatalogStore + Send + Sync>) -> Router {
         .route("/v1/:prefix/v1/namespaces/:namespace/tables/:table/maintenance", post(iceberg::tables::perform_maintenance))
         .route("/v1/:prefix/v1/namespaces/:namespace/tables/:table/metrics", post(iceberg::tables::report_metrics))
         .route("/v1/:prefix/v1/tables/rename", post(iceberg::tables::rename_table))
+        .route("/v1/:prefix/v1/oauth/tokens", post(iceberg::oauth::handle_oauth_token))
+        .route("/v1/:prefix/oauth/tokens", post(iceberg::oauth::handle_oauth_token)) // Support non-nested v1 too just in case
+        // Support /api/v1/iceberg prefix style
+        .route("/api/v1/iceberg/:prefix/v1/oauth/tokens", post(iceberg::oauth::handle_oauth_token))
+        .route("/api/v1/iceberg/:prefix/oauth/tokens", post(iceberg::oauth::handle_oauth_token))
         // Pangolin Extended APIs
         // Branch Operations
         .route("/api/v1/branches", post(pangolin_handlers::create_branch).get(pangolin_handlers::list_branches))

pangolin/pangolin_api/src/lib.rs

@@ -17,6 +17,7 @@ log = "0.4"
 env_logger = "0.10"
 serde_json = "1.0"
 urlencoding = "2.1"
+chrono = { version = "0.4", features = ["serde"] }
 
 [[bin]]
 name = "pangolin-admin"