Connecting to Virtual DataPort Using OAuth Authentication¶
The Denodo JDBC driver supports the OAuth 2.0 protocol for authentication and authorization of users. OAuth is an open-standard protocol that allows client applications to access Denodo without sending the password of the user account.
Before using OAuth to connect to Virtual DataPort, you have to enable OAuth in Virtual DataPort. Otherwise, the connections with OAuth will fail.
Denodo provides three paths to connect to Denodo using OAuth. Depending on the one you choose you have to add certain parameters or others. You can indicate these parameters either as parameters of the connection URL or as driver properties.
Path #1: OAuth 2.0 Authentication providing access token
The client application obtains an OAuth access token and passes it to the Denodo JDBC driver. Then, the driver uses this token to connect to Virtual DataPort.
This path is meant to be used by client applications that have the ability to obtain access tokens to connect to Virtual DataPort. This client application can obtain this access token for itself or on behalf of the end user of the application.
For this method, add the following parameter to the connection URL or as a driver properties:
Property |
Value |
|---|---|
useOAuth2 |
true |
accessToken |
The OAuth 2.0 access token |
Do not provide user or password.
Path #2: OAuth 2.0 by Resource Owner Password Credentials
If the client application does not have the ability of obtaining OAuth tokens, the driver can obtain one on behalf of the application, if the Identity Provider of your organization supports the Resource Owner Password Credentials OAuth flow.
In this case, you configure the connection with information about the Identity Provider. That is, the URL to request tokens to the Identity Provider, client id and client secret of the application you registered on the Identity Provider, etc.
When the client application opens a connection, the driver will request an OAuth token to the Identity Provider and will use that token to establish the connection.
For this method, add the following URL parameters to the connection URL:
Property |
Value |
|---|---|
useOAuth2 |
true |
user |
The username provided by the client to obtain an access token |
password |
The password corresponding to the user that will be authenticated |
tokenEndpoint |
URL exposed by OAuth server to request the access token |
clientId |
Application’s Client ID. Usually, you obtain this when registering the client application in the Identity Provider. |
clientSecret |
Application’s Client secret |
scope |
String value of the different scopes requested |
extraParams |
Additional parameters that will be added to the body of the HTTP request the driver will send to obtain the OAuth tokens. The syntax of this parameter is:
You have to indicate this as a driver property, not a parameter in the connection URL. |
useIdToken |
If Set this to Default value: |
oauthSSLVerify |
If Default value: |
Path #3: OAuth 2.0 by Client Credentials
In a similar way to the previous path, if the Identity Provider of your organization supports the Client Credentials OAuth flow, you can configure the driver to obtain the token without identifying any user.
For this method, add the following URL parameters to the connection URL:
Property |
Value |
|---|---|
useOAuth2 |
true |
tokenEndpoint |
URL exposed by OAuth server to request the access token |
clientId |
Application’s Client ID. Usually, you obtain this when registering the client application in the Identity Provider. |
clientSecret |
Application’s Client secret |
scope |
String value of the different scopes requested |
extraParams |
Additional parameters that will be added to the body of the HTTP request the driver will send to obtain the OAuth tokens. The syntax of this parameter is:
You have to indicate this as a driver property, not a parameter in the connection URL. |
useIdToken |
If Set this to Default value: |
oauthSSLVerify |
If Default value: |
Do not provide user or password.
Path #4: OAuth 2.0 by Authorization Code grant or Multi factor Authentication (MFA)
If the Identity Provider of your organization needs to use a Multi factor Authentication with Oauth, the Authorization code OAuth flow is the most suitable for this scenario, you can configure the driver to obtain the token in this way.
For this method, add the following URL parameters to the connection URL:
Property |
Value |
|---|---|
useOAuth2 |
true |
grantType |
Indicates the expected flow to be used. The available values are: code (for Authorization code), password (for Resource Owner Password Credentials), clients_credentials (for Clients Credentials) and refresh_token (for Refresh Token). |
tokenEndpoint |
URL exposed by OAuth server to request the access token |
authorizationEndpoint |
URL exposed by the OAuth server and used to request the authorization code |
clientId |
Application’s Client ID. Usually, you obtain this when registering the client application in the Identity Provider. |
clientSecret |
Application’s Client secret |
scope |
String value of the different scopes requested |
refreshToken |
Refresh token to get a new access token if the provided one is expired. |
extraParams |
Additional parameters that will be added to the body of the HTTP request the driver will send to obtain the OAuth tokens. The syntax of this parameter is:
You have to indicate this as a driver property, not a parameter in the connection URL. |
useIdToken |
If Set this to Default value: |
oauthSSLVerify |
If Default value: |
state |
If Default value: |
oauthServiceTimeout |
The timeout duration, in seconds, that the service responsible for obtaining an authorization code will wait for a response. It specifies the maximum time the service will remain idle while awaiting a reply during the authorization process. Default value: |
oauthServiceMinPort |
This parameter specifies the lower bound of the port range to be used by the service responsible for obtaining an authorization code. Default value: |
oauthServiceMaxPort |
This parameter specifies the upper bound of the port range to be used by the service responsible for obtaining an authorization code. Default value: |
oauthCredentialsCacheFilePath |
File path to a file where the tokens will be stored to avoid perform unnecessary requests to the identity provider. The stored tokens are ciphered. This parameter is optional. |
usePKCE |
If Default value: |
It is highly recommended to set a credentials cache file (oauthCredentialsCacheFilePath) to avoid open unnecessary tabs in the web browser when the client application implements some kind of connection pool.
There are a second option for MFA flow, which is the Refresh Token. If we have a previous refresh token we can configure the ‘refreshToken’ property with a valid refresh token (and also filling the other driver properties from the table). Also if we have already used the Authorization code grant flow and configured a oauthCredentialsCacheFilePath, we can change the driver property ‘grantType’ to use ‘refresh_token’, in this way we will use the stored information to get a new access token when it expires.