You can translate the document:

Important: This document is only useful if you are using a Tableau version older than 2023.1. For Tableau versions 2023.1 or newer, you can take advantage of the OAuth support integrated in the last Denodo JDBC connector. The process is described in the How to configure OAuth authentication in the Tableau Denodo JDBC connector article.

Overview

The Tableau connector SDK provides limited support for OAuth authentication, which makes it very difficult to develop a connector that could work with different identity providers and environments.

In this document we will provide guidelines to make the required changes in the Denodo connector for Tableau to support OAuth authentication with an identity provider.

Getting the connector code

The last published connector can be downloaded from the Tableau Extension Gallery.

  • Select the ‘Denodo JDBC’ connector.
  • Click on the ‘Download’ button.

You will get a .taco file with .taco(similar to zip) containing the connector's source code.

  • Extract the connector's source code using any application to unzip files.
  • The following files are included:
  • manifest.xml
  • connectionFields.xml
  • connectionMetadata.xml
  • connectionResolver.tdr
  • connectionBuilder.js
  • connectionProperties.js
  • dialect.tdd
  • resources-en_US.xml
  • resources-es_ES.xml

Change the connector to support OAuth authentication

  1. Apply the following patch in the source code folder: denodo_jdbc_oauth.patch
  2. Create a file called oauthConfig.xml with the following content. Modify the content to fit the configuration for the identity provider used:

<?xml version="1.0" encoding="utf-8"?>
<pluginOAuthConfig>        
   <dbclass>denodo_jdbc</dbclass>
   <!-- Dependents on the customer environment.
      In addition clientIdDesktop, clientSecretDesktop and
      redirectUrisDesktop could be redefined when using Tableau Server -->   
   <clientIdDesktop>[clientId]</clientIdDesktop>
   <clientSecretDesktop>[clientSecret]</clientSecretDesktop>      

<redirectUrisDesktop>http://localhost:55555/Callback</redirectUrisDesktop>    
   <authUri>/oauth2/v2.0/authorize</authUri>
   <tokenUri>/oauth2/v2.0/token</tokenUri>
   <instanceUrlValidationRegex>^https://login.microsoftonline.com/(.*)</instanceUrlValidationRegex>
        <scopes>openid</scopes>
   <scopes>offline_access</scopes>  
   <capabilities>
       <entry>
           <key>OAUTH_CAP_SUPPORTS_CUSTOM_DOMAIN</key>
           <value>true</value>
       </entry>    
           <entry>
                   <key>OAUTH_CAP_REQUIRE_PKCE</key>
                   <value>true</value>
           </entry>        
       <entry>
           <key>OAUTH_CAP_PKCE_REQUIRES_CODE_CHALLENGE_METHOD</key>
           <value>true</value>
       </entry>
       <entry>
           <key>OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL</key>
           <value>true</value>
       </entry>
                <entry>
           <key>OAUTH_CAP_SUPPORTS_STATE</key>
           <value>true</value>
       </entry>  
                <entry>
           <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>
           <value>true</value>
       </entry>                                   
   </capabilities>
   <accessTokenResponseMaps>
       <entry>
           <key>ACCESSTOKEN</key>
           <value>access_token</value>
       </entry>
       <entry>
           <key>REFRESHTOKEN</key>
           <value>refresh_token</value>
       </entry>                
       <entry>
           <key>access-token-issue-time</key>
           <value>iat</value>
       </entry>
       <entry>
           <key>access-token-expires-in</key>
           <value>exp</value>
       </entry>
                <entry>
           <key>id-token</key>
           <value>id_token</value>
       </entry>
       <entry>
           <key>username</key>
           <value>sub</value> <!-- it could depend on the customers IDP
                             configuration, usually preferred_username -->
       </entry>        
   </accessTokenResponseMaps>
</pluginOAuthConfig>

How to configure oauthConfig.xml file.

The different parameters in this configuration file need to be adapted to the identity provider being used. In this section we will explain the different parameters with a focus in Azure AD.

The values of the these properties could be re-defined in Tableau server, but Tableau desktop will use the ones defined in this file (See Config OAuth client on Tableau server):

  • clientIdDesktop
  • clientSecretDesktop
  • redirectUrisDesktop

The authorization and token endpoints will be obtained by concatenating the value established in the OAuth instance URL field (in the connection dialog) and the values retrieved from the ‘authUri’ and ‘tokenUri’ properties in the oauthConfig.xml file.

The property instanceUrlValidationRegex can be used to validate the OAuth instance URL provided by the user (this is an optional parameter that can be omitted).

The property scopes can be included several times to define the scopes that will be included in the OAuth request.

  • It is recommended to include ‘openid’ and ‘offline_access’ for Azure AD.

The capabilities section of the file defines the behavior of the connector to retrieve the access token, refresh token and user name (see OAuth config file for more details).

  • The OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN capability should be set to true in order to retrieve the user name from the access token instead of using a request to the userInfo endpoint.

The accessTokenResponseMaps section defines:

  • Which attributes from the OAuth response include the access token, refresh token and id token.
  • Which attributes from the access token include the time when the token was issued and its expiration date.
  • Which attribute from the id token contains the user name.
  • This is important because Tableau will use this value to store all the retrieved information for this specific user.

Authentication flow

Any connector developed with the Tableau SDK will use the OAuth authentication flow and the following authentication path will be followed.

  • [Optional]The connector will validate the OAuth instance URL with the regular expression defined in the ‘instanceUrlValidationRegex’ property if it was defined.
  • The authorization and token endpoints will be calculated using the value provided in the OAuth instance URL field and the values defined in the ‘authUri’ and ‘tokenUri’ properties.
  • If the value of the OAUTH_CAP_SUPPORTS_CUSTOM_DOMAIN property is set to false, the value of the properties will be used without concatenating the value provided by the user.
  • To build both requests (authorize and token), the connector will use the information defined in the following properties:
  • clientIdDesktop
  • clientSecretDesktop
  • redirectUrisDesktop
  • scopes
  • capabilities.OAUTH_CAP_REQUIRE_PKCE
  • capabilities.OAUTH_CAP_PKCE_REQUIRES_CODE_CHALLENGE_METHOD
  • capabilities.OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL
  • capabilities.OAUTH_CAP_SUPPORTS_STATE
  • Once the OAuth response is retrieved, the connector must get the username.
  • If OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN capability is true, the username will be retrieved from the id token.
  • Otherwise, a new request for the user info endpoint will be sent and the username will be retrieved from the response.
  • The value of the ‘userInfoUri property (which is optional and not defined in this example) will be used for this request.
  • In both cases, the value defined for accessTokenResponseMaps.username will be the attribute which should include the user name (in the id_token or in the userInfo response).

Package the connector

To sign and package the connector you can follow the instructions provided on the Tableau connector SDK documentation page: Package and Sign Your Connector for Distribution .

Install the connector

For more information see: Run Your Connector (tableau.github.io)

Place the.taco file in the following locations:

Tableau Desktop:

C:\Users\Administrator\Documents\My Tableau Repository\Connectors

Tableau Server:

C:\ProgramData\Tableau\Tableau Server\data\tabsvc\vizqlserver\Connectors

The packaged file must be signed, if using an unsigned one, you have to configure Tableau to skip the signature check.

Tableau Desktop:

Tableau.exe -DDisableVerifyConnectorPluginSignature=true

   

Tableau Server:

tsm configuration set -k native_api.disable_verify_connector_plugin_signature -v true --forcekeys

tsm pending-changes apply

Create a folder called "denodo_jdbc" under C:\Program Files\Tableau\Drivers\denodo_jdbc and place there the Denodo JDBC driver and the libraries jna.jar and jna-platform.jar that can be found under <DENODO_HOME>\lib\contrib.

Test the connector

OAuth authentication Test

To test the OAuth authentication with the new connector:

  • Open the Denodo data source connection dialog.
  • Select ‘OAuth authentication’ in the ‘Authentication’ field.
  • Set ‘OAuth instance url’ to the identity provider instance URL.
  • Click on the ‘Sign in’ button.

Disclaimer
The information provided in the Denodo Knowledge Base is intended to assist our users in advanced uses of Denodo. Please note that the results from the application of processes and configurations detailed in these documents may vary depending on your specific environment. Use them at your own discretion.
For an official guide of supported features, please refer to the User Manuals. For questions on critical systems or complex environments we recommend you to contact your Denodo Customer Success Manager.

Questions

Ask a question

You must sign in to ask a question. If you do not have an account, you can register here