Authentication¶
Any client using the Denodo GraphQL Service needs to authenticate itself with Denodo-valid credentials.
The authentication methods available are described below.
Basic¶
In HTTP Basic the Denodo user name and password are passed as unencrypted
base64 encoded text with an Authorization
HTTP request header.
<username>:<password> -> Authorization: Basic YWRtaW46YWRtaW4=
SPNEGO (Kerberos)¶
The HTTP SPNEGO authentication method can only be used when Kerberos authentication is enabled on the Virtual DataPort Server (see Kerberos Authentication).
Also, the client has to be configured to use SPNEGO and Kerberos. This article, (section Client Configuration), explains how to configure Google Chrome and Mozilla Firefox to use the Kerberos-SPNEGO authentication. No special configuration is needed for Google Chrome.
When you connect from a browser to the Denodo GraphQL Service using SPNEGO and Kerberos, instead of having to enter your credentials, the browser will obtain a Kerberos ticket from the system and send it with the request. If the browser requests your credentials, it means that the browser is not correctly configured to use Kerberos authentication or that there was an authentication error.
Notice that for accessing the Denodo GraphQL Service, you have to use the
Fully Qualified Domain Name of the Server Principal Name you configured in the
Denodo Server. If the server hostname differs, SPNEGO authentication will fail.
For example, if the server principal is
HTTP/denodo-prod.subnet1.contoso.com@CONTOSO.COM
, the client should use
http://denodo-prod.subnet1.contoso.com:9090/denodo-graphql-service/graphql/<DBNAME>
.
OAuth 2.0¶
To use OAuth2 as an authentication method, you need to enable OAuth authentication on the Denodo server. Section OAuth Authentication) explains how to do this.
Then, you need to obtain an access token. You can use the OAuth 2.0 credentials wizard in the Virtual DataPort Administration Tool to obtain it. The wizard can be accessed by clicking on OAuth 2.0 wizard on the menu Tools > OAuth credentials wizards of the Administration Tool.
Once you have the access token you have to pass it to the Denodo GraphQL
Service with an Authorization
request header:
oauth_token -> Authorization: Bearer oauth_token