Using OAuth 2.0
Four types of authentication work flows are available when using OAuth 2.0: token pass-through, browser based, M2M , and Azure Managed Identity.
This authentication mechanism is available for Spark Thrift Server instances only. When you use OAuth 2.0 authentication, HTTP is the only Thrift transport protocol available. Browser based authentication work flow only works when SSL is enabled.
There is a discovery mode that enables the connector to auto-fill some endpoints or configurations. The endpoint discovery is enabled by default, you can disable it by setting EnableOIDCDiscovery=0. You can also pass the OIDC discovery endpoint by using OIDCDiscoveryEndpoint. The connector automatically discovers OAuth2AuthorizationEndPoint and OAuth2TokenEndPoint.
To enable SSL for OAuth endpoints, UseServerSSLConfigsForOAuthEndPoint can be used.
Token Pass-through
This authentication mechanism requires a valid OAuth 2.0 access token or refresh token. Be aware that access tokens typically expire after a certain amount of time, after which you must either refresh the token or obtain a new one from the server. If refresh token is provided, then the connector would use it to refresh access token when necessary.
When the access token expires, the connector will return an error with SQLState 08006. To provide the connector with a new access token, use Connection.setClientInfo() with "Auth_AccessToken" as the key and the new access token as the value. The connector will update the access token and use the newly provided token for any subsequent calls to the server.
For more information regarding Connection.setClientInfo() please refer to https://docs.oracle.com/javase/8/docs/api/java/sql/Connection.html#setClientInfo-java.lang.String-java.lang.String-.
To configure OAuth 2.0 token pass-through using Access token in authentication :
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to0. - Set the
Auth_AccessTokenproperty to your access token.
To configure OAuth 2.0 token pass-through using Refresh token in authentication:
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to0. - Set the
Auth_RefreshTokenproperty to your refresh token.Note: OAuth2ClientId and OAuth2Secret are optional. If no client ID is provided, the connector will use the default client ID.
Using Browser Based Authentication
This authentication mechanism requires SSL to be enabled.
To configure OAuth 2.0 browser based authentication:
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to2. - Set the
PWDproperty to a password of your choice. This is the key used for refresh token encryption.
Once the browser based authentication flow is done, the refresh token is cached so you don't need to do authenticate again. The token cache can be disabled by setting EnableTokenCache=0. The TokenCachePassPhrase property needs to be set when using the token cache.
Using M2M Based Authentication
To configure OAuth 2.0 M2M based authentication:
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to1. - Set the
OAuth2ClientIdproperty to client id used in specified authentication source. - Set the
OAuth2Secretproperty to secret used in the specified authentication source.
To configure JWT assertion authentication:
- Set the
Auth_KIDproperty to uniquekey ID. - Set the
Auth_JWT_Key_Fileproperty tokey PEMfile. - Set the
Auth_JWT_Key_Passphraseproperty, if private key needs to be decrypted, otherwise keep settingunset. - Set the
UseJWTAssertionproperty to1. - Set the
Auth_JWT_Algproperty to use an alternate signing algorithm:RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512.
For JWT assertion authentication, import BouncyCastle v1.74.
Using Azure Managed Identity Authentication
To configure Azure Managed Identity authentication:
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to3. - Optionally, set the
OAuth2ClientIdproperty to client id used in user-assigned managed identity. - Optionally, set the
Azure_workspace_resource_id, if your resource is a contributor.