|
| 1 | +--- |
| 2 | +slug: /en/operations/external-authenticators/oauth |
| 3 | +title: "OAuth 2.0" |
| 4 | +--- |
| 5 | +import SelfManaged from '@site/docs/en/_snippets/_self_managed_only_no_roadmap.md'; |
| 6 | + |
| 7 | +<SelfManaged /> |
| 8 | + |
| 9 | +OAuth 2.0 access tokens can be used to authenticate ClickHouse users. This works in two ways: |
| 10 | + |
| 11 | +- Existing users (defined in `users.xml` or in local access control paths) can be authenticated with access token if this user can be `IDENTIFIED WITH jwt`. |
| 12 | +- Use Identity Provider (IdP) as an external user directory and allow locally undefined users to be authenticated with a token if it is valid and recognized by the provider. |
| 13 | + |
| 14 | +Though this authentication method is different from JWT authentication, it works under the same authentication method to maintain better compatibility. |
| 15 | + |
| 16 | +For both of these approaches a definition of `access_token_processors` is mandatory. |
| 17 | + |
| 18 | +## Access Token Processors |
| 19 | + |
| 20 | +To define an access token processor, add `access_token_processors` section to `config.xml`. Example: |
| 21 | +```xml |
| 22 | +<clickhouse> |
| 23 | + <access_token_processors> |
| 24 | + <gogoogle> |
| 25 | + <provider>Google</provider> |
| 26 | + <email_filter>^[A-Za-z0-9._%+-]+@example\.com$</email_filter> |
| 27 | + </gogoogle> |
| 28 | + <azuure> |
| 29 | + <provider>azure</provider> |
| 30 | + <client_id>CLIENT_ID</client_id> |
| 31 | + <tenant_id>TENANT_ID</tenant_id> |
| 32 | + </azuure> |
| 33 | + </access_token_processors> |
| 34 | +</clickhouse> |
| 35 | +``` |
| 36 | + |
| 37 | +:::note |
| 38 | +Different providers have different sets of parameters. |
| 39 | +::: |
| 40 | + |
| 41 | +**Parameters** |
| 42 | + |
| 43 | +- `provider` -- name of identity provider. Mandatory, case-insensitive. Supported options: "Google", "Azure". |
| 44 | +- `email_filter` -- Regex for validation of user emails. Optional parameter, only for Google IdP. |
| 45 | +- `client_id` -- Azure AD (Entra ID) client ID. Optional parameter, only for Azure IdP. |
| 46 | +- `tenant_id` -- Azure AD (Entra ID) tenant ID. Optional parameter, only for Azure IdP. |
| 47 | + |
| 48 | +## IdP as External Authenticator {#idp-external-authenticator} |
| 49 | + |
| 50 | +Locally defined users can be authenticated with an access token. To allow this, `jwt` must be specified as user's authentication method. Example: |
| 51 | + |
| 52 | +```xml |
| 53 | +<clickhouse> |
| 54 | + <!- ... --> |
| 55 | + <users> |
| 56 | + <!- ... --> |
| 57 | + <my_user> |
| 58 | + <!- ... --> |
| 59 | + </jwt> |
| 60 | + </my_user> |
| 61 | + </users> |
| 62 | +</clickhouse> |
| 63 | +``` |
| 64 | + |
| 65 | +At each login attempt, ClickHouse will attempt to validate token and get user info against every defined access token provider. |
| 66 | + |
| 67 | +When SQL-driven [Access Control and Account Management](/docs/en/guides/sre/user-management/index.md#access-control) is enabled, users that are authenticated with tokens can also be created using the [CREATE USER](/docs/en/sql-reference/statements/create/user.md#create-user-statement) statement. |
| 68 | + |
| 69 | +Query: |
| 70 | + |
| 71 | +```sql |
| 72 | +CREATE USER my_user IDENTIFIED WITH jwt; |
| 73 | +``` |
| 74 | + |
| 75 | +## Identity Provider as an External User Directory {#idp-external-user-directory} |
| 76 | + |
| 77 | +If there is no suitable user pre-defined in ClickHouse, authentication is still possible: Identity Provider can be used as source of user information. |
| 78 | +To allow this, add `token` section to the `users_directories` section of the `config.xml` file. |
| 79 | + |
| 80 | +At each login attempt, ClickHouse tries to find the user definition locally and authenticate it as usual. |
| 81 | +If the user is not defined, ClickHouse will treat user as externally defined, and will try to validate the token and get user information from the specified processor. |
| 82 | +If validated successfully, the user will be considered existing and authenticated. The user will be assigned roles from the list specified in the `roles` section. |
| 83 | +All this implies that the SQL-driven [Access Control and Account Management](/docs/en/guides/sre/user-management/index.md#access-control) is enabled and roles are created using the [CREATE ROLE](/docs/en/sql-reference/statements/create/role.md#create-role-statement) statement. |
| 84 | + |
| 85 | +**Example** |
| 86 | + |
| 87 | +```xml |
| 88 | +<clickhouse> |
| 89 | + <token> |
| 90 | + <processor>gogoogle</processor> |
| 91 | + <roles> |
| 92 | + <token_test_role_1 /> |
| 93 | + </roles> |
| 94 | + </token> |
| 95 | +</clickhouse> |
| 96 | +``` |
| 97 | + |
| 98 | +**Parameters** |
| 99 | + |
| 100 | +- `server` — Name of one of processors defined in `access_token_processors` config section described above. This parameter is mandatory and cannot be empty. |
| 101 | +- `roles` — Section with a list of locally defined roles that will be assigned to each user retrieved from the IdP. |
0 commit comments