Configure OAuth for a Denodo connection

ThoughtSpot supports OAuth for a Denodo connection.

To configure OAuth for Denodo, you create an app in the Identity Provider and use the app’s credentials to register it in Denodo as an external token provider. Once these steps are completed, Denodo will allow connections coming in with the JWT issued by the IdP.

Each ThoughtSpot instance requires a unique Denodo security integration. Each user in Denodo must have a default warehouse and default role.

Part 1: Configuring the IdP with Okta

The following steps detail the configuration of IdP with Okta as an example. You can set up any other OpenID Connect (OIDC)-based IdP providers following a similar process. For details, refer to the respective documentation for those.

To configure the IdP with Okta, do the following:

  1. Sign in to the Okta console with a user having administrator privileges. Navigate to the Applications page in the console and select Create App Integration.

    Click Create App Integration
  2. For sign-in method, choose OIDC - OpenID Connect.

  3. For application type, choose Web Application

  4. Select Next.

  5. Under Grant type, make sure Authorization Code and Refresh Token are selected.

    Select Authorization Code and Refresh Token
  6. For Sign-in redirect URIs, add the ThoughtSpot redirect URI for the application.

    It should follow this format:

    https://<your-thoughtspot-instance-host>/callosum/v1/connection/generateTokens

    Add the ThoughtSpot redirect URI
    If your IdP supports rotation of refresh tokens with every usage, please ensure that this option is NOT chosen. ThoughtSpot does not support one-time use refresh tokens.
  7. Assign the application to everyone in the organization or to specific groups. This step may vary for other IdPs.

    Assign the application to everyone or specific groups
  8. Collect the client credentials from the application home page and make a note of them. These will be required later for adding the external token provider in Denodo.

    Make a note of the client credentials
  9. Go to Security  API, and make a note of the value for Audience. This is required in a later step for configuring the OpenID well-known URI for the authorization server.

    Make a note of the value for Audience

    For Okta, it should follow this format:

    https://<organization>.okta..com/oauth2/<unique_id>/.well-known/oauth-authorization-server

  10. Open the URL in a browser and make a note of the values for the following parameters:

    • Issuer

    • Authorization endpoint

    • JWKS URI

    • Token endpoint

Part 2: Adding external token provider in Denodo

To add an external token provider in Denodo, do the following:

  1. Sign in to the Denodo administrator tool and select the Administration tab.

  2. Select Server Authentication from the menu.

  3. Select OAuth and fill in the details from your IdP.

    Add IdP details

    For User Claim Mapping, use the value of the claim in the JWT issued by the IdP that contains the value of the username in Denodo.

    Example token generated by Okta:

    Example Okta token

Part 3: JDBC Connection URL

Connection string for JDBC should include the token string for password parameter with username left empty.

Example connection string:

jdbc:vdb://<host>:<port>/<database>?publishCatalogsAsSchemas=true&useOAuth2=true

Logging in to a connection created by another user using OAuth

As an admin user, you may run into an issue logging in to connections created using OAuth. To resolve this issue, complete the following steps:

  1. Search on a table belonging to the connection you are trying to edit. The following error appears:

    Error reading “Error in loading data. Connection to Snowflake could not be established. OAuth login required. Login”

  2. Click Login. You will be directed to the IDP login page.

  3. Enter your login credentials.

  4. You will now have access to edit the connection.