ContextQMD
Back to Starrocks

Security Integration Oauth

docs/en/_assets/user_priv/security_integration_oauth.mdx

4.1.02.5 KB
Original Source

Create a security integration with OAuth 2.0

Syntax

SQL
CREATE SECURITY INTEGRATION <security_integration_name> 
PROPERTIES (
    "type" = "authentication_oauth2",
    "auth_server_url" = "",
    "token_server_url" = "",
    "client_id" = "",
    "client_secret" = "",
    "redirect_url" = "",
    "jwks_url" = "",
    "principal_field" = "",
    "required_issuer" = "",
    "required_audience" = ""
    "comment" = ""
)

Parameters

security_integration_name
  • Required: Yes
  • Description: The name of the security integration. NOTE The security integration name is globally unique. You cannot specify this parameter as native.
auth_server_url
  • Required: Yes
  • Description: The authorization URL. The URL to which the users’ browser will be redirected in order to begin the OAuth 2.0 authorization process.
token_server_url
  • Required: Yes
  • Description: The URL of the endpoint on the authorization server from which StarRocks obtains the access token.
client_id
  • Required: Yes
  • Description: The public identifier of the StarRocks client.
client_secret
  • Required: Yes
  • Description: The secret used to authorize StarRocks client with the authorization server.
redirect_url
  • Required: Yes
  • Description: The URL to which the users’ browser will be redirected after the OAuth 2.0 authentication succeeds. The authorization code will be sent to this URL. In most cases, it need to be configured as http://<starrocks_fe_url>:<fe_http_port>/api/oauth2.
type
  • Required: Yes
  • Description: The type of the security integration. Specify it as authentication_oauth2.
jwks_url
  • Required: Yes
  • Description: The URL to the JSON Web Key Set (JWKS) service or the path to the local file under the fe/conf directory.
principal_field
  • Required: Yes
  • Description: The string used to identify the field that indicates the subject (sub) in the JWT. The default value is sub. The value of this field must be identical with the username for logging in to StarRocks.
required_issuer
  • Required: No
  • Description: The list of strings used to identify the issuers (iss) in the JWT. The JWT is considered valid only if one of the values in the list match the JWT issuer.
required_audience
  • Required: No
  • Description: The list of strings used to identify the audience (aud) in the JWT. The JWT is considered valid only if one of the values in the list match the JWT audience.
comment
  • Required: No
  • Description: The description of the security integration.