Using OAuth2 with Information Services
If you use OpenID Connect for logging in to your Spotfire Server, you can configure Information Services data sources for single sign-on with the same OpenID provider.
A credentials provider for Information Services, TokenCredentialsProvider , is included out-of-the-box in the Spotfire installation. It collects the access token created during login to the Spotfire Server and passes it on to the JDBC data source driver. You can use the TokenCredentialsProvider in data source templates for data sources that support OAuth2 token-based authorization over JDBC.
The protocols used are OAuth2 and OpenID Connect. OAuth2 controls authorization to a protected resource such as an application or a data source. OpenID Connect is an authentication protocol built on the OAuth2 authorization protocol. It provides authentication, so a client can verify the identity of a user.
Prerequisites
- Configure your Spotfire Server for web authentication with OpenID Connect.
- In the OpenID Connect settings on the Spotfire Server, add any OAuth scopes required for accessing your data source. See Advanced OpenID Connect settings.
- You might want to configure Spotfire to request refresh tokens. See the documentation of your OpenID provider for instructions.
-
Use the same OpenID provider for logging in to both Spotfire Server and the external database.
Procedure
In your data source template, set the
credentials-provider-class to
com.spotfire.ws.im.ds.sql.TokenCredentialsProvider.
<credentials-provider-class>com.spotfire.ws.im.ds.sql.TokenCredentialsProvider</credentials-provider-class>
<credentials-provider-init-params>
<parameter>
<key>issuer</key>
<value>https://login.example.com</value>
</parameter>
<parameter>
<key>access_token_property_name</key>
<value>token</value>
</parameter>
</credentials-provider-init-params>
com.spotfire.ws.im.ds.sql.TokenCredentialsProvider
The credentials provider
com.spotfire.ws.im.ds.sql.TokenCredentialsProvider is
an implementation of the SPI
com.spotfire.informationservices.spi.ds.CustomCredentialsProvider,
and is included in the Spotfire installation. It picks up the access token
retrieved on login to the Spotfire Server and passes it on to the JDBC data
source driver.
The
credentials-provider-init-params provide information
so that Spotfire can correctly pass on the access token.
Parameters
The table lists all initialization parameters for
credentials-provider-init-params.
| Setting | Description | Default value |
|---|---|---|
issuer
|
String. The name of the expected issuer. Only tokens from the specified issuer are passed to the driver. This should be the URI entered when configuring the OpenID
Connect provider. Enter the URI up to but not including
Mandatory. |
|
include_access_token
|
Boolean. If
|
True
|
access_token_property_name
|
String. The name of the connection property that the driver uses to provide the access token. Mandatory if
|
|
driver_supports_refresh_tokens
|
Boolean. If
|
False
|
refresh_token_property_name
|
String. The name of the connection property that the driver uses to provide the refresh token. Mandatory if
|
|
client_id_property_name
|
String. The name of the connection property that the driver uses to provide the client secret. Mandatory if
|
|
client_secret_property_name
|
String. The name of the connection property that the driver uses to provide the client secret. Mandatory if
|
|
token_refresh_validity_below_minutes
|
Integer. If Spotfire has a refresh token from the OpenID provider, access tokens that have less than this time left of their validity time are automatically refreshed. |
30
|