Trino OAuth2 and JWT via Okta
The steps below describe how to configure Trino for end-user authentication via OAuth2 and M2M authentication (for data source onboarding in Immuta) via JWT using the same Okta app.
Configuring Okta
As an Okta admin, create a new app integration. Select OIDC and Web Application

Configure the app integration similar to the setting in the screenshot below. The Client Credentials
checkbox is essential for M2M JWT authentication but is not necessary for OAuth2.

Configure the app Assignments according to organizational practices and click Save

Note the Client ID and Client Secret on the next page. These are used in the Trino config file:

Under Security -> API -> Authorization Servers -> default -> Scopes
add a trino:access
scope

Validate the response from the following curl call, using your Okta DNS Name:
curl -X POST "https://immuta.oktapreview.com/oauth2/default/v1/token" \
-d "grant_type=client_credentials" \
-d "client_id=0oal4jjks6kqzHwRe1d7" \
-d "client_secret=<secret>" \
-d "scope=trino:access"
{"token_type":"Bearer","expires_in":3600,"access_token":"eyJraWQiOiJucm9nQ2hOdFJDYUZ4bEZUVFBOQXVJUnhrbXkxckw2TU15YkRCdVJEcWZvIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnJOU1NxazNpYlZLZlhnb0dFWXg4SVo3SUxmbEQ3elMtU3JxRXpQOUlqSWMiLCJpc3MiOiJodHRwczovL2ltbXV0YS5va3RhcHJldmlldy5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNzQyNTg0OTQzLCJleHAiOjE3NDI1ODg1NDMsImNpZCI6IjBvYWw0amprczZrcXpId1JlMWQ3Iiwic2NwIjpbInRyaW5vOmFjY2VzcyJdLCJzdWIiOiIwb2FsNGpqa3M2a3F6SHdSZTFkNyJ9.AkjKFCPKgaDwDYRQMbGS8p-GyzhztXbtzDsZDYjjPMo2glnh9MDk2q2dI5rGIdeoQ60K7Q55780NTZFpsucAS4tMYscot8z9_cy5NRbjjViOfUZ_nWG8zTJKvBwWdfhDKXJpIFiu4iYKzUt46FKVcCwnOdEyH6G0raesqJzPtHJ1w0Wk5X3HdduNlhka4hpYHPYfoXNeTgjKLYJoX0SnEuy20C77RtCZpptv9bTV37Z9to257tgJVqJt2x5P9IuiSKTdFdmJBfm1Uo14bEggT5m0Tgl0m_uEWW0igSQSNTREhRHtY2L6YdMfcYqYaIKY2QWuzEiHar-atRd6_qZgvQ","scope":"trino:access"}
Decode the access_token
via https://jwt.io
{
"ver": 1,
"jti": "AT.rNSSqk3ibVKfXgoGEYx8IZ7ILflD7zS-SrqEzP9IjIc",
"iss": "https://immuta.oktapreview.com/oauth2/default",
"aud": "api://default",
"iat": 1742584943,
"exp": 1742588543,
"cid": "0oal4jjks6kqzHwRe1d7",
"scp": [
"trino:access"
],
"sub": "0oal4jjks6kqzHwRe1d7"
}
The value of the sub
field must be listed as an immuta.user.admin
in the immuta-access-control.properties
file on the Trino cluster.
Configuring Trino
To set up Trino for both OAuth2 and JWT authentication, you only need to edit the coordinator's config.properties
once. The example below demonstrates how to update the Trino Helm chart accordingly:
server:
config:
authenticationType: PASSWORD,OAUTH2,JWT
coordinatorExtraConfig: |-
access-control.config-files=/immuta/immuta-access-control.properties
web-ui.enabled=true
web-ui.authentication.type=OAUTH2
# OAuth2 settings (for end users)
http-server.authentication.oauth2.issuer=https://immuta.oktapreview.com/oauth2/default
http-server.authentication.oauth2.client-id=0oal4jjks6kqzHwRe1d7
http-server.authentication.oauth2.client-secret=<client_secret>
http-server.authentication.oauth2.scopes=openid,profile,email
http-server.authentication.oauth2.principal-field=email
# JWT settings (for M2M)
http-server.authentication.jwt.key-file=https://immuta.oktapreview.com/oauth2/default/v1/keys
Registering a Trino Datasource in Immuta
Validate the changes to Trino by registering a new data source in Immuta. Populate the fields in the new data source creation page according to the client id, secret, and scope used in the curl
call above, for example:

Click Create
to register the schema in Immuta
End-user authentication validation via Trino cli
To validate that the end-user OAuth2 workflow is functioning as intended, use the Trino cli jar to connect and run a query against one of the newly registered data sources. The user must be assigned to the application in Okta and exist in Immuta for this query to return successfully:
./trino --server https://trino-rebtest.immuta.us --user [email protected] --external-authentication
trino> select * from tpch.sf10000.customer limit 5;
custkey | name | address | nationkey | phone | acctbal | mktsegment | >
-----------+--------------------+------------------------------------------+-----------+-----------------+---------+------------+------------------------------------------------->
375000001 | Customer#375000001 | A2qPnPHny3EfSYRt5HRK xbO25 | 14 | 24-835-946-7501 | 873.28 | HOUSEHOLD | dogged requests. packages are bold >
375000002 | Customer#375000002 | tZjdsgDPTGclO4nnJ, | 4 | 14-951-488-5148 | 1111.71 | BUILDING | telets; foxes x-ray quickly. carefully ironic pi>
375000003 | Customer#375000003 | PZ3lLzEz8GeTL9k | 12 | 22-782-389-7245 | 4493.38 | MACHINERY | oxes. carefully bold instructions sleep sometime>
375000004 | Customer#375000004 | hPoY29v307gXyjvo7UX5 | 12 | 22-119-308-8149 | 3178.53 | MACHINERY | fully unusual deposits snooze along the unusual,>
375000005 | Customer#375000005 | rOwQejfsU68eMBmY1O7vJR | 0 | 10-739-382-1640 | 3615.61 | HOUSEHOLD | es grow fluffily even packages. carefully unusua>
Last updated