Authentication

Any client using the Denodo GraphQL Service needs to authenticate itself with Denodo-valid credentials.

The authentication methods available are described below.

Basic

In HTTP Basic the Denodo user name and password are passed as unencrypted base64 encoded text with an Authorization HTTP request header.

Denodo GraphQL basic authentication example
<username>:<password> -> Authorization: Basic YWRtaW46YWRtaW4=

SPNEGO (Kerberos)

The HTTP SPNEGO authentication method can only be used when Kerberos authentication is enabled on the Virtual DataPort Server (see Kerberos Authentication).

Also, the client has to be configured to use SPNEGO and Kerberos. This article, (section Client Configuration), explains how to configure Internet Explorer and Mozilla Firefox to use the Kerberos-SPNEGO authentication. No special configuration is needed for Google Chrome.

When you connect from a browser to the Denodo GraphQL Service using SPNEGO and Kerberos, instead of having to enter your credentials, the browser will obtain a Kerberos ticket from the system and send it with the request. If the browser requests your credentials, it means that the browser is not correctly configured to use Kerberos authentication or that there was an authentication error.

Notice that for accessing the Denodo GraphQL Service, you have to use the Fully Qualified Domain Name of the Server Principal Name you configured in the Denodo Server. If the server hostname differs, SPNEGO authentication will fail. For example, if the server principal is HTTP/denodo-prod.subnet1.contoso.com@CONTOSO.COM, the client should use http://denodo-prod.subnet1.contoso.com:9090/denodo-graphql-service/graphql/<DBNAME>.

OAuth 2.0

To use OAuth2 as an authentication method, you need to enable OAuth authentication on the Denodo server. Section OAuth Authentication) explains how to do this.

Then, you need to obtain an access token. You can use the OAuth 2.0 credentials wizard in the Virtual DataPort Administration Tool to obtain it. The wizard can be accessed by clicking on OAuth 2.0 wizard on the menu Tools > OAuth credentials wizards of the Administration Tool.

OAuth 2.0 Credentials Wizard

OAuth 2.0 Credentials Wizard

Once you have the access token you have to pass it to the Denodo GraphQL Service with an Authorization request header:

Denodo GraphQL OAuth 2.0 authentication example
oauth_token -> Authorization: Bearer oauth_token