trino-python-client icon indicating copy to clipboard operation
trino-python-client copied to clipboard
verified publisher icon trinodb

Authenticate against external identity provider, and send grant to Trino

Open RoseGoldIsntGay opened this issue 1 year ago • 1 comments

Description

The new KeycloakAuthentication auth flow allows usage of an external OIDC identity provider to authenticate against a Trino cluster secured using OAuth2.

Non-technical explanation

This authentication type uses credentials for an OpenId Connect provider, such as Keycloak, retrieves a grant token and uses it to authenticate against Trino.

Release notes

( ) This is not user-visible or docs only and no release notes are required. ( ) Release notes are required, please propose a release note for me. (x) Release notes are required, with the following suggested text:

Keycloak Authentication

The KeycloakAuthentication class can be used to connect to a Trino cluster that is configured with the OAuth2 authentication type using an external OIDC identity provider (i.e Keycloak)

It works by sending credentials to the OpenId identity provider and recieving a grant, then passing said grant to the Trino cluster secured using OAuth2

[!WARNING] Client Authentication must be turned off (public access) as the flow does not send a client secret

  • DBAPI

    from trino.dbapi import connect
from trino.auth import KeycloakAuthentication

conn = connect(
    user="<username>",
    auth=KeycloakAuthentication(
        username="<username>",
        password="<password>",
        keycloak_url="<keycloak_url>",
        realm="<realm>",
        client_id="<client_id>",
    ),
    ...
)

RoseGoldIsntGay avatar Feb 05 '25 14:02 RoseGoldIsntGay

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

cla-bot[bot] avatar Feb 05 '25 14:02 cla-bot[bot]

This seems too custom to your specific implementation of Keycloak.

In general you can use Oauth authentication class to integrate with keycloak already.

hashhar avatar Sep 09 '25 07:09 hashhar