OAuth 2.0 token pass-through#

The OAuth 2.0 token pass-through feature guarantees that Starburst Enterprise platform (SEP) uses the same token as a user accessing a data source directly. This allows you to authenticate to SEP using OAuth 2.0, and the received token is passed through SEP and the connector to the underlying data source.


A user authenticated with an OAuth 2.0 compatible server is able to query SEP, and SEP accesses the data from the data source with the token authenticated as the user.


The user impersonation feature is only supported in select connectors. Reference the connectors feature matrix for more information about which connectors support this feature.

As with standard OAuth 2.0 authentication support, the data source itself must be configured to support an external OAuth 2.0 server. Consult vendor documentation for assistance with this task, such as this section of Snowflake documentation.


Enable OAuth 2.0 token pass-through in SEP with the following required configuration properties in the config.properties file on the coordinator:


This method otherwise has the same configuration properties and works exactly the same as the OAuth 2.0 authentication method.

The only difference is that the server passes the access token received with a query to other supported connectors in the connector session. As a result, compatible connectors can use the same token to authenticate with downstream data sources.

For all other supported configuration properties, see OAuth2. For connector-specific property changes, see the links in the next section.


Each access token’s remaining lifetime must be longer than the query’s execution time. This authentication method re-uses the same token that was submitted with the query, and no token refresh mechanism is supported. Therefore, the lifetime of access tokens must be longer than the expected execution time of the query.