Trino OAuth2 and JWT via Okta

The steps below describe how to configure Trino for end-user authentication via OAuth2 and M2M authentication (for data source onboarding in Immuta) via JWT using the same Okta app.

Configuring Okta

As an Okta admin, create a new app integration. Select OIDC and Web Application

Configure the app integration similar to the setting in the screenshot below. The Client Credentials checkbox is essential for M2M JWT authentication but is not necessary for OAuth2.

Configure the app Assignments according to organizational practices and click Save

Note the Client ID and Client Secret on the next page. These are used in the Trino config file:

Under Security -> API -> Authorization Servers -> default -> Scopes add a trino:access scope

Validate the response from the following curl call, using your Okta DNS Name:

curl -X POST "https://immuta.oktapreview.com/oauth2/default/v1/token" \
     -d "grant_type=client_credentials" \
     -d "client_id=0oal4jjks6kqzHwRe1d7" \
     -d "client_secret=<secret>" \
     -d "scope=trino:access"

{"token_type":"Bearer","expires_in":3600,"access_token":"eyJraWQiOiJucm9nQ2hOdFJDYUZ4bEZUVFBOQXVJUnhrbXkxckw2TU15YkRCdVJEcWZvIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnJOU1NxazNpYlZLZlhnb0dFWXg4SVo3SUxmbEQ3elMtU3JxRXpQOUlqSWMiLCJpc3MiOiJodHRwczovL2ltbXV0YS5va3RhcHJldmlldy5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNzQyNTg0OTQzLCJleHAiOjE3NDI1ODg1NDMsImNpZCI6IjBvYWw0amprczZrcXpId1JlMWQ3Iiwic2NwIjpbInRyaW5vOmFjY2VzcyJdLCJzdWIiOiIwb2FsNGpqa3M2a3F6SHdSZTFkNyJ9.AkjKFCPKgaDwDYRQMbGS8p-GyzhztXbtzDsZDYjjPMo2glnh9MDk2q2dI5rGIdeoQ60K7Q55780NTZFpsucAS4tMYscot8z9_cy5NRbjjViOfUZ_nWG8zTJKvBwWdfhDKXJpIFiu4iYKzUt46FKVcCwnOdEyH6G0raesqJzPtHJ1w0Wk5X3HdduNlhka4hpYHPYfoXNeTgjKLYJoX0SnEuy20C77RtCZpptv9bTV37Z9to257tgJVqJt2x5P9IuiSKTdFdmJBfm1Uo14bEggT5m0Tgl0m_uEWW0igSQSNTREhRHtY2L6YdMfcYqYaIKY2QWuzEiHar-atRd6_qZgvQ","scope":"trino:access"}

Decode the access_token via https://jwt.io

Decoded Payload

{
  "ver": 1,
  "jti": "AT.rNSSqk3ibVKfXgoGEYx8IZ7ILflD7zS-SrqEzP9IjIc",
  "iss": "https://immuta.oktapreview.com/oauth2/default",
  "aud": "api://default",
  "iat": 1742584943,
  "exp": 1742588543,
  "cid": "0oal4jjks6kqzHwRe1d7",
  "scp": [
    "trino:access"
  ],
  "sub": "0oal4jjks6kqzHwRe1d7"
}

The value of the sub field must be listed as an immuta.user.admin in the immuta-access-control.properties file on the Trino cluster.

Configuring Trino

To set up Trino for both OAuth2 and JWT authentication, you only need to edit the coordinator's config.properties once. The example below demonstrates how to update the Trino Helm chart accordingly:

server:
  config:
    authenticationType: PASSWORD,OAUTH2,JWT
  coordinatorExtraConfig: |-
    access-control.config-files=/immuta/immuta-access-control.properties
    web-ui.enabled=true
    web-ui.authentication.type=OAUTH2
    # OAuth2 settings (for end users)
    http-server.authentication.oauth2.issuer=https://immuta.oktapreview.com/oauth2/default
    http-server.authentication.oauth2.client-id=0oal4jjks6kqzHwRe1d7
    http-server.authentication.oauth2.client-secret=<client_secret>
    http-server.authentication.oauth2.scopes=openid,profile,email
    http-server.authentication.oauth2.principal-field=email
    # JWT settings (for M2M)
    http-server.authentication.jwt.key-file=https://immuta.oktapreview.com/oauth2/default/v1/keys

Registering a Trino Datasource in Immuta

Validate the changes to Trino by registering a new data source in Immuta. Populate the fields in the new data source creation page according to the client id, secret, and scope used in the curl call above, for example:

Click Create to register the schema in Immuta

End-user authentication validation via Trino cli

To validate that the end-user OAuth2 workflow is functioning as intended, use the Trino cli jar to connect and run a query against one of the newly registered data sources. The user must be assigned to the application in Okta and exist in Immuta for this query to return successfully:

./trino --server https://trino-rebtest.immuta.us --user [email protected] --external-authentication
trino> select * from tpch.sf10000.customer limit 5;
  custkey  |        name        |                 address                  | nationkey |      phone      | acctbal | mktsegment |                                                 >
-----------+--------------------+------------------------------------------+-----------+-----------------+---------+------------+------------------------------------------------->
 375000001 | Customer#375000001 | A2qPnPHny3EfSYRt5HRK xbO25               |        14 | 24-835-946-7501 |  873.28 | HOUSEHOLD  |  dogged requests. packages are bold             >
 375000002 | Customer#375000002 | tZjdsgDPTGclO4nnJ,                       |         4 | 14-951-488-5148 | 1111.71 | BUILDING   | telets; foxes x-ray quickly. carefully ironic pi>
 375000003 | Customer#375000003 | PZ3lLzEz8GeTL9k                          |        12 | 22-782-389-7245 | 4493.38 | MACHINERY  | oxes. carefully bold instructions sleep sometime>
 375000004 | Customer#375000004 | hPoY29v307gXyjvo7UX5                     |        12 | 22-119-308-8149 | 3178.53 | MACHINERY  | fully unusual deposits snooze along the unusual,>
 375000005 | Customer#375000005 | rOwQejfsU68eMBmY1O7vJR                   |         0 | 10-739-382-1640 | 3615.61 | HOUSEHOLD  | es grow fluffily even packages. carefully unusua>

PreviousRepeatable k3s stack deployment on AWS EC2 NextCopy of Okta Attribute Mapping

Last updated 3 months ago