Using OAuth 2.0
Four types of authentication work flow are available when using OAuth 2.0, token pass-through, client credentials, browser based authentication, or Azure Managed Identity.
This authentication mechanism is available for Spark
There is a discovery mode that enables the connector to auto-fill some endpoints or configurations. The endpoint discovery is enabled by default, you can disable it by setting EnableOIDCDiscovery=0. You can also pass the OIDC discovery endpoint by using OIDCDiscoveryEndpoint. The connector automatically discovers OAuth2AuthorizationEndPoint and OAuth2TokenEndPoint.
Token Pass-through
This authentication mechanism requires a valid OAuth 2.0 access token. Be aware that access tokens typically expire after a certain amount of time, after which you must either refresh the token or obtain a new one from the server.
To configure OAuth 2.0 token pass-though authentication:
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to0. - Set the
Auth_AccessTokenproperty to your access token.
Obtaining a New Access Token
Once an access token expires, you can obtain a new access token for the connector.
Note: When an access token expires, the connector returns a "SQLState 08006" error.
To obtain a new access token:
-
In the connection string, set the
Auth_AccessTokenproperty with a new access token. - Call the SQLSetConnectAttr function with SQL_ATTR_CREDENTIALS (122) as the attribute and the new connection string as the value. The connector will update the current connection string with the new access token.
Note: Calling the SQLGetConnectAttr function with SQL_ATTR_CREDENTIALS (122) returns the entire connection string used during connection.
- Call the SQLSetConnectAttr function with SQL_ATTR_REFRESH_CONNECTION (123) as the attribute and SQL_REFRESH_NOW (-1) as the value. This signals the connector to update the access token value.
- Retry the previous ODBC API call. After obtaining the new access token, the open connection, statements, and cursors associated with it remain valid for use.
Client Credentials
This authentication mechanism requires SSL to be enabled.
To configure OAuth 2.0 client credentials authentication:
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to1. - Set the
Auth_Client_IDto your client ID. - Set the
Auth_Client_Secretto your client secret. - Optionally, set the
Auth_Scopeto your OAuth scope. -
When connecting to Microsoft Synapse, set the
Auth_Tenant_IDto your tenant id.
To configure OAuth 2.0 JWT assertion client credentials authentication:
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to1. - Set the
Auth_Client_IDto your client ID. - Set the
Auth_Scopeto your OAuth scope. - Set the
Auth_KIDto your key identifier. - Set the
Auth_JWT_Key_Fileto the canonical path to the private key.pemfile that matches the public key on the authentication source. - Optionally, set the
Auth_JWT_Key_Passphraseto the private key's password, if it is encrypted. - Set
EnableOIDCDiscoveryto1and setOIDCDiscoveryEndpointto the discovery endpoint.
Browser Based
This authentication mechanism requires SSL to be enabled.
To configure OAuth 2.0 browser based authentication:
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to2. - Set the
TokenCachePassPhraseproperty to a password of your choice. This is the key used for refresh token encryption.
Note: When the browser based authentication flow completes, the access token and refresh token are saved in the token cache and the connector does not need to authenticate again. For more information, see Enable Token Cache.
Azure Managed Identity
This authentication mechanism requires SSL to be enabled.
To configure Azure Managed Identity authentication:
- Set the
AuthMechproperty to11. - Set the
Auth_Flowproperty to3. - Optionally, set the
Auth_Client_IDto user-assigned managed identity. - Optionally, set the
Azure_workspace_resource_idto your assigned Resource ID.