The steps below describe how to configure Trino for end-user authentication via OAuth2 and M2M authentication (for data source onboarding in Immuta) via JWT using the same Okta app.
Configuring Okta
As an Okta admin, create a new app integration. Select OIDC and Web Application
Configure the app integration similar to the setting in the screenshot below. The Client Credentials checkbox is essential for M2M JWT authentication but is not necessary for OAuth2.
Configure the app Assignments according to organizational practices and click Save
Note the Client ID and Client Secret on the next page. These are used in the Trino config file:
Under Security -> API -> Authorization Servers -> default -> Scopes add a trino:access scope
Validate the response from the following curl call, using your Okta DNS Name:
The value of the sub field must be listed as an immuta.user.admin in the immuta-access-control.properties file on the Trino cluster.
Configuring Trino
To set up Trino for both OAuth2 and JWT authentication, you only need to edit the coordinator's config.properties once. The example below demonstrates how to update the Trino Helm chart accordingly:
Validate the changes to Trino by registering a new data source in Immuta. Populate the fields in the new data source creation page according to the client id, secret, and scope used in the curl call above, for example:
Click Create to register the schema in Immuta
End-user authentication validation via Trino cli
To validate that the end-user OAuth2 workflow is functioning as intended, use the Trino cli jar to connect and run a query against one of the newly registered data sources. The user must be assigned to the application in Okta and exist in Immuta for this query to return successfully:
