No OAuth2 authorization token was provided when obtaining the signature.

[ChangxingJiang]

Apache Iceberg version

0.10.0 (latest release)

Please describe the bug 🐞

Problem

When LakeKeeper enables OAuth2 authentication, an error occurs in PyIceberg's s3v4_rest_signer function because no token is passed in.
The error message is as follows:

requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: http://localhost:8181/catalog/v1/signer/1b6a661c-c045-11f0-a5d1-c7f4c19a9f11/tabular-id/019a7bf0-6022-77a3-a1ca-e466b94a019a/v1/aws/s3/sign

I Find it because "token" is not in the properties in the S3V4RestSigner:

https://github.com/apache/iceberg-python/blob/main/pyiceberg/io/fsspec.py

Expect

It tokens to request the signer.

Reproduce

• Use LakeKeeper as REST catalog
• Use KeyCloak to OAuth2

catalog = load_catalog(
    type="rest",
    uri="http://localhost:8181/catalog",
    warehouse="iceberg",
    credential=f"{CLIENT_ID}:{CLIENT_SECRET}",
    scope="lakekeeper",
    **{
        "oauth2-server-uri": "http://172.20.*.*:*/realms/master/protocol/openid-connect/token"
    }
)

Willingness to contribute

• I can contribute a fix for this bug independently
• I would be willing to contribute a fix for this bug with guidance from the Iceberg community
• I cannot contribute a fix for this bug at this time

[kevinjqliu]

thanks for reporting this issue @ChangxingJiang
it sounds similar to #2544

[ChangxingJiang]

thanks for reporting this issue @ChangxingJiang it sounds similar to #2544

Yes, is same to #2544 , I will close this issue and follow that.

But I can't use 0.9.1 version, because I need to use s3.force-virtual-addressing in #2517 .