Support for Microsoft Entra ID (Azure AD) On-Behalf-Of (OBO) Flow in Trino

[cccs-jc]

We are unable to successfully implement the On-Behalf-Of (OBO) flow when using Trino with the iceberg-auth-manager. While the AuthManager appears to be configured correctly for standard OAuth2, Entra ID's specific requirements for token exchange (exchanging a user's JWT for a service-level token) do not seem to be supported or are failing during the handshake.

Is AuthManager supposed to support Microsoft Entra ID as of yet?

[adutra]

Hi @cccs-jc thank you for your interest in the Dremio Auth Manager!

Unfortunately this manager does not have support for OBO just yet. It requires a new grant type: urn:ietf:params:oauth:grant-type:jwt-bearer.

But the good news is, adding a new grant type is not that difficult, and this specific grant type is something I was already planning to add.

Indeed we currently have only partial support for RFC 7523:

• We do support client assertions (section 2.2 of the RFC);
• But we don't have support for JWTs as authorization grants (section 2.1. of the RFC). This is what OBO uses.

So, bringing full support for RFC 7523 has always been a priority.

I will try to come up with a PR shortly. Stay tuned!

[adutra]

Also, the machinery to generate the JWT assertion grant is very similar to the one used in Token Exchange to fetch the subject and actor tokens, so I will probably be able to leverage that.