o-auth-authentication-records.md
The following authentication record v_oauth
authenticates users from any IP address by contacting the identity provider to validate the OAuth token (rather than a username and password) and uses the following parameters:
-
validate_type
: The method used to validate the OAuth token. This should be set toIDP
(default) to validate the OAuth token for confidential clients. -
client_id
: The client in the identity provider. -
client_secret
: The client secret generated by the identity provider. This is required ifvalidate_type
isIDP
. -
discovery_url
: Also known as the OpenID Provider Configuration Document, Vertica uses this endpoint to retrieve information about the identity provider's configuration and other endpoints (Keycloak only). -
introspect_url
: Used by Vertica to introspect (validate) access tokens. You must specify theintrospect_url
if you do not specify thediscovery_url
and are not usingJWT
validation.
If discovery_url
and introspect_url
are both set, discovery_url
takes precedence. The following example sets both for demonstration purposes; in general, you should prefer to set the discovery_url
:
=> CREATE AUTHENTICATION v_oauth METHOD 'oauth' HOST '0.0.0.0/0';
=> ALTER AUTHENTICATION v_oauth SET validate_type = 'IDP';
=> ALTER AUTHENTICATION v_oauth SET client_id = 'vertica';
=> ALTER AUTHENTICATION v_oauth SET client_secret = 'client_secret';
=> ALTER AUTHENTICATION v_oauth SET discovery_url = 'https://203.0.113.1:8443/realms/myrealm/.well-known/openid-configuration';
=> ALTER AUTHENTICATION v_oauth SET introspect_url = 'https://203.0.113.1:8443/realms/myrealm/protocol/openid-connect/token/introspect';
Alternatively, if your identity provider supports the OpenID Connect protocol and your client is public, Vertica can use JWT validation, where Vertica validates OAuth tokens by verifying that it was signed by the identity provider's private key.
Vertica does not contact the identity provider for JWT validation.
JWT validation requires the following parameters:
-
validate_type
: The method used to validate the OAuth token. This should be set toJWT
to validate the OAuth token for public clients. -
jwt_rsa_public_key
: In PEM format, the public key used to sign the client's OAuth token. Vertica uses this to validate the OAuth token. If your identity provider does not natively provide PEM-formatted public keys, you must convert them to PEM format. For example, keys retrieved from an Okta endpoint are in JWK format and must be converted. -
jwt_issuer
: The issuer of the OAuth token. For Keycloak, this is the token endpoint. -
jwt_user_mapping
: The name of the Vertica user.
You can also specify the following parameters to define a whitelist based on fields of the OAuth token:
-
jwt_accepted_audience_list
: Optional, a comma-delimited list of values to accept from the client JWT'saud
field. If set, tokens must include inaud
one of the accepted audiences to authenticate. -
jwt_accepted_scope_list
: Optional, a comma-delimited list of values to accept from the client JWT'sscope
field. If set, tokens must include inscope
at least one of the accepted scopes to authenticate.
The following authentication record v_oauth_jwt
authenticates users from any IP address by verifying that the client's OAuth token was signed by the identity provider's private key. It also requires the user to provide the proper values in the token's aud
and scope
fields:
=> CREATE AUTHENTICATION v_oauth_jwt METHOD 'oauth' HOST '0.0.0.0/0';
=> ALTER AUTHENTICATION v_oauth_jwt SET validate_type = 'JWT';
=> ALTER AUTHENTICATION v_oauth_jwt SET jwt_rsa_public_key = '-----BEGIN PUBLIC KEY-----public-key-value-----END PUBLIC KEY-----';
=> ALTER AUTHENTICATION v_oauth_jwt SET jwt_issuer = 'http://10.20.30.40:8080/realms/realm_name';
=> ALTER AUTHENTICATION v_oauth_jwt SET jwt_user_mapping = 'preferred_username';
=> ALTER AUTHENTICATION v_oauth_jwt SET jwt_accepted_audience_list = 'vertica,local';
=> ALTER AUTHENTICATION v_oauth_jwt SET jwt_accepted_scope_list = 'email,profile,user';