Configure OAuth for a Dremio connection
ThoughtSpot supports OAuth for a connection Dremio Cloud.
OAuth cannot be used to connect to Dremio Software. |
To configure OAuth for Dremio, you create an app in the Identity Provider and use the app’s credentials to register it in Dremio as an external token provider. Once these steps are completed, Dremio will allow connections coming in with the JWT issued by the IdP.
For OAuth, we recommend checking the Dremio documentation to confirm any IDP support and their details. This article documents only the most frequently set-up IDP. |
Part 1: Configuring the IdP with Okta
The following steps detail the configuration of IdP with Okta as an example. You can set up any other OpenID Connect (OIDC)-based IdP providers following a similar process. For details, refer to the respective documentation for those.
To configure the IdP with Okta, do the following:
-
Log in to the Okta console with a user having administrator privileges. Navigate to the Applications page in the console and click Create App Integration.
-
For sign-in method, choose OIDC - OpenID Connect.
-
For application type, choose Web Application
-
Click Next.
-
Under Grant type, make sure Authorization Code is selected.
-
For Sign-in redirect URIs, add the ThoughtSpot redirect URI for the application.
It should follow this format:
https://<your-thoughtspot-instance-host>/callosum/v1/connection/generateTokens
-
Assign the application to everyone in the organization or to specific groups. This step may vary for other IdPs.
-
Collect the client credentials from the application home page and make a note of them. These will be required later when adding a Dremio connection in ThoughtSpot.
-
Go to
, and make a note of the value for Audience. This is required in a later step for configuring the OpenID well-known URI for the authorization server.For Okta, it should follow this format:
https://<organization>.okta..com/oauth2/<unique_id>/.well-known/oauth-authorization-server
-
Open the URL in a browser and make a note of the values for the following parameters:
-
Issuer
-
Authorization endpoint
-
JWKS URI
-
Token endpoint
-
Part 2: Adding external token provider in Dremio
To add an external token provider in Dremio, do the following:
-
Log in to the Dremio cloud console and navigate to Organization Settings.
-
From the menu, click External Token Providers.
-
Click Add Provider and fill in the details of your IdP.
For User Claim Mapping, use the value of the claim in the JWT issued by the IdP that contains the value of the username in Dremio.
Example token generated by Okta: