Content

The main aim of this document is to demonstrate how to obtain the OAuth access token for accessing the resources on the Denodo Virtual DataPort server.

Obtaining the Access Token using the Virtual DataPort Administration Tool

Denodo supports the OAuth 2.0 protocol for authentication and authorization of users. OAuth is an authorization framework that allows third-party applications (in this case, Virtual DataPort), to access resources on a server on behalf of a resource owner. The main benefit is that you do not need to share your username and password with third-party applications in order to authorize them to access your data.

To obtain the access token, Denodo provides the OAuth Credentials Wizard option which is found under the Tools menu.

In this wizard, we have two options such as OAuth 1.0a and OAuth 2.0. You can choose the option based on the version of the protocol.

Here, we need to fill in the details required to obtain the access token from the Identity Provider. Note that any Identity Provider for OAuth Authentication can be used. As an example, we will use the Okta Identity Provider. For reference, see How To Configure Okta for Single Sign-On in Denodo Solution Manager for registering an OAuth Application in Okta, creating new users and groups. Note that the redirect URLs will differ so make sure to use the correct ones.

In the “Authentication Grant” drop down, there are three types of authorization grant: Authorization code grant, Resource owner password credentials grant, Client credentials grant. See OAuth Grant Types for details on each grant type.

Choose one from the list based on the grant types supported by your Identity Provider. In this example, we will set the Authorization grant as Authorization Code Grant.

In Client Identifier and Client Secret you can fill the OAuth Web Application’s Client ID and Secret from Okta.

Then, to get the other parameters such as Token endpoint URL, Authorization server URL and scopes, you can navigate to the Metadata URI information in Okta under “Security > API > Authorization Server > Select the Authorization server”.

The next step is to specify the Redirect URI. The default redirect URI is of the form

http://<host>:<port>/oauth/2.0/redirectURL.jsp.

Note: Make sure the Redirect URI is correctly registered in the Identity Provider as a valid one. In the Okta example described here the Redirect URI is configured during the application registration process adding the valid Redirect URI to the list of Sign-in Redirect URIs. Without this requirement, the process will not be successful as the Redirect URI used by the Denodo OAuth Wizard will not be authorized.

If TLS is enabled or the host name or port number are changed then you can specify the URL for your environment by clicking the radio button below.

Once the parameters are filled, click on the Generate the authorization url option to get the Authorization URL. In this URL, the service displays a page where you have to authorize Virtual DataPort to access your data.

You can see the Authorization URL generated in the Authorization URL text box using the provided details.

Click on the highlighted Open URL option to launch the Authorization URL in a browser. When doing so, the service will redirect the browser to the Redirect URI and it will add several parameters to it. Virtual DataPort will use the values of these parameters to send an HTTP request to the service. The response will contain the Access token.

Now we have obtained the response URL and we need to paste this in step 3, Paste the authorization response URL section.

In step 4, click on Obtain the OAuth 2.0 credentials. On doing so, you will see a message saying that the OAuth 2.0 credentials have been obtained.

Clicking on Copy the credentials to the clipboard and pasting it in any text editor, you can preview the Access token along with the other details of the service.

Note: You can also use third party API clients such as Postman to obtain the access token.

As an example, you can use this access token for accessing the GraphQL service of Virtual DataPort using OAuth Authentication. Note that to use OAuth2 as an authentication method, you need to enable OAuth authentication on the Denodo server.

To access GraphQL, we are using the GraphQL Playground client. The default GraphQL URL will look like

http://<host>:<port>/denodo-graphql-service/graphql/<database>

On launching GraphQL Playground, you can specify the GraphQL URL and then click on Open.

Once done, click on the HTTP headers section to provide the Access token for OAuth Authentication like below. Replace the oauth_token with the Access token obtained from the OAuth Credentials Wizard

{

"Authorization": "Bearer <oauth_token>"

}

Once the header is defined, you can specify the POST Body with the views and respective fields which you would like to display as part of the output. Finally, click on the run icon to get the desired results.

Similarly, you can use this OAuth Wizard for populating the Access Token to be used for accessing the Web Services of the Denodo Platform or also for accessing the Denodo Platform via JDBC or ODBC Drivers with OAuth Authentication.