OAuth 2.0 identity providers#

Starburst Enterprise platform (SEP) includes support for OAuth 2.0 authentication. The following sections provide information about configuring and using the supported identity providers.

OpenID Connect metadata#

OpenID Connect servers publish their metadata at a well-known URL, typically https://authorization-server.com/.well-known/openid-configuration. Use the data returned by this endpoint to configure OAuth 2.0 authentication. Use the following values and SEP configuration properties:

OAuth2 configuration properties#

OpenID connect metadata field

SEP configuration property

authorization_endpoint

http-server.authentication.oauth2.auth-url

token_endpoint

http-server.authentication.oauth2.token-url

jwks_uri

http-server.authentication.oauth2.jwks-url

Supported Identity Providers#

The following sections detail the necessary configuration steps in the identity provider’s user interface and in SEP configuration.

Okta#

Create an Okta app

You can skip this step if you’re going to use an existing app integration.

Configure the client

Copy the client ID and client secret to http-server.authentication.oauth2.client-id and http-server.authentication.oauth2.client-secret.

Find the configuration URLs in Okta in Security > API > Authorization Servers. Choose the authorization server for your application, open up metadata uri, and use the content to configure the OpenID Connect metadata.

Also set the value of the Audience field for http-server.authentication.oauth2.additional-audiences.

Azure Active Directory#

Create an Azure AD app integration

You can skip this step if you use an existing app registration.

  • Go to Microsoft Azure Portal > Azure Active Directory > App registrations > New registration.

  • Enter a name and choose Accounts in this organizational directory only (Starburst Data only - Single tenant) from Supported account types.

  • For Redirect URI use Web and the the OAuth 2.0 authentication callback URL https://<trino-coordinator-domain-name>/oauth2/callback.

  • Click Register.

Configure the client

  • Go to Certificates & secrets and select New client secret.

  • Enter description and set an expiration period.

  • Copy the value of the secret to http-server.authentication.oauth2.client-secret.

  • By default Microsoft only adds the API for Microsoft Graph to the app registration. Consider adding other services, for example Azure Data Lake Storage with the user_impersonation permission. Additionally, you must expose an API for SEP:

    • Go to Expose an API and click Set next to Application ID URI.

    • The Application ID URI must be unique within your organization. For example: https://organization.com/d858d980d-71d5-4e86-8da8-5ea4cab5a8e1. Set it to match the URL of your SEP cluster

    • Select Add a scope in the Scopes defined by this API section.

    • Fill in a name, display name, and description. Choose Admins and users in from Who can consent? .

    • Click Add a client application in Authorized client applications.

    • Use the client ID and select the scope created in the previous step.

    • In http-server.authentication.oauth2.scopes include openid, but also remember about your scope, e.g. https://organization.com/d858d980d-71d5-4e86-8da8-5ea4cab5a8e1/scopename. it should look like http-server.authentication.oauth2.scopes=https://organization.com/d858d980d-71d5-4e86-8da8-5ea4cab5a8e1/scopename,openid.

    • You can further read about it in Configure an application to expose a web API

  • Copy the value from Application (client) ID to http-server.authentication.oauth2.client-id.

  • Go to Overview > Endpoints, visit the URL under OpenID Connect metadata document, and use the content to configure the OpenID Connect metadata.

Active Directory Federation Services#

Create an AD FS Application Group

  • Open the AD FS application.

  • Choose Application Groups and Add Application Group.

  • Specify a name and use the Server application template.

  • Use the OAuth 2.0 authentication callback URL

    https://<trino-coordinator-domain-name>/oauth2/callback for Redirect URI.

  • Copy the value of the client ID to the http-server.authentication.oauth2.client-id property.

  • On the Configure Application Credentials step, use Generate a shared secret, and copy the generated secret to the http-server.authentication.oauth2.client-secret property.

You can skip this step if you’re going to use an existing app registration.

Configure the client

In order to find the configuration URLs, go to Service > Endpoints, and use the URL under OpenID Connect Discovery to configure the OpenID Connect metadata.

In addition, set the following properties:

http-server.authentication.oauth2.additional-audiences=urn:microsoft:userinfo
http-server.authentication.oauth2.scopes=openid

Keycloak#

For Keycloak you need to operate within the realm. SEP can then be defined as your client with a dedicated ID and secret. Assuming your realm is named kingdom and Keycloak runs on https://example.com, your {base} below should be https://example.com/auth/realms/kingdom

Keycloak configuration properties#

Property

Value

http-server.authentication.oauth2.issuer

{base}

http-server.authentication.oauth2.auth-url

{base}/protocol/openid-connect/auth

http-server.authentication.oauth2.token-url

{base}/protocol/openid-connect/token

http-server.authentication.oauth2.jwks-url

{base}/protocol/openid-connect/certs

http-server.authentication.oauth2.client-id

Client ID from Keycloak

http-server.authentication.oauth2.client-secret

Client secret from Keycloak

http-server.authentication.oauth2.scopes

openid

Google OAuth#

Defining a client

  • In Google Cloud Platform open APIs & Services > Credentials

  • Go for + CREATE CREDENTIALS and choose OAuth client ID

  • Choose Web application, provide a meaningful name and define Authorized redirect URIs pointing to SEP’s oauth2/callback

  • Use displayed Client ID and Client Secret as http-server.authentication.oauth2.client-id and http-server.authentication.oauth2.client-secret properties.

Further configuration

You can base on https://accounts.google.com/.well-known/openid-configuration:

Google configuration properties#

Property

Value

http-server.authentication.oauth2.issuer

https://accounts.google.com

http-server.authentication.oauth2.auth-url

https://accounts.google.com/o/oauth2/v2/auth

http-server.authentication.oauth2.token-url

https://oauth2.googleapis.com/token

http-server.authentication.oauth2.userinfo-url

https://openidconnect.googleapis.com/v1/userinfo

http-server.authentication.oauth2.jwks-url

https://www.googleapis.com/oauth2/v3/certs

http-server.authentication.oauth2.principal-field

email

http-server.authentication.oauth2.scopes

openid,https://www.googleapis.com/auth/userinfo.email

As Google uses opaque tokens, http-server.authentication.oauth2.userinfo-url property is required for validation.

For more information, you can take a look at Google’s documentation about Using OAuth 2.0 to Access Google APIs and OpenID Connect.