search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.45k stars 3.01k forks source link

Support OAuth2 client credentials flow #15836

Open creckord opened 1 year ago

creckord commented 1 year ago

We use Keycloak as our authentication platform and would like to use OAuth2 to run Trino queries from other automated processes where there is no authenticated user session.

This is typically handled using the client credentials flow, but it seems that this is not yet supported by the Trino OAuth provider config:

Trino uses the Authorization Code flow which exchanges an Authorization Code for a token.

Any chance to add this?

A possible workaround would be to use JWT authentication and get the token from Keycloak ourselves beforehand (we are not allowed to use password auth with a static Trino password db). The downside to this is that tokens have a limited - and in our case rather short - lifetime, and we would have to handle token refresh in between queries ourselves, whereas support in the Trino OAuth connector could handle that internally, like it already does for the authorization code flow.

vincentye38 commented 6 months ago

I want this feature too. I can implement it if some have some design idea?