OAuth 2.0 token pass-through#

The OAuth 2.0 token pass-through feature guarantees that Starburst Enterprise platform (SEP) uses the same token as a user accessing a data source directly. This allows you to authenticate to SEP using OAuth 2.0, and the received token is passed through SEP and the connector to the underlying data source.

Configuration#

Enable the OAuth 2.0 token pass-through with the following configuration in Config properties:

http-server.authentication.type=DELEGATED_OAUTH2

This method otherwise has the same configuration properties and works exactly the same as the OAuth 2.0 authentication method.

The only difference is that the server passes the access token received with a query to other supported connectors in the connector session. As a result, compatible connectors can use the same token to authenticate with downstream data sources.

For all other supported configuration properties, see OAuth2. For connector-specific property changes, see the links in the next section.

Connector support#

The following connectors support the OAuth 2.0 token pass-through method:

A user authenticated with an OAuth 2.0 compatible server is able to query SEP, and SEP accesses the data from the data source with the token authenticated as the user.

As with standard OAuth 2.0 authentication support, the data source itself must be configured to support an external OAuth 2.0 server. Consult vendor documentation for assistance with this task, such as this section of Snowflake documentation.

Limitations#

Each access token’s remaining lifetime must be longer than the query’s execution time. This authentication method re-uses the same token that was submitted with the query, and no token refresh mechanism is supported. Therefore, the lifetime of access tokens must be longer than the expected execution time of the query.