Support for JWT-secured download URLs in Delta Sharing protocol

[bond-]

Currently, the Delta Sharing protocol mandates the use of pre-signed URLs for file downloads, typically from cloud storage. Our internal security team has advised against using pre-signed URLs due to organizational security policies.

We propose that the protocol be extended to support non-cloud-storage URLs, where clients can download files by passing a JWT token (e.g., via an HTTP header) for authentication and authorization, instead of relying on pre-signed URLs.

Benefits:

• Aligns with organizations that prohibit pre-signed URLs
• Enables flexible integration with custom storage backends
• Leverages JWT for fine-grained access control and auditing

Request:
Please consider modifying the protocol to allow servers to return a download URL that accepts a JWT token for secure access, in addition to (or instead of) pre-signed URLs.

Additional context:

• Our use case involves internal storage systems and custom authentication flows
• JWT tokens can be short-lived and signed for specific file access