Skip to content

Authenticate against external identity provider, and send grant to Trino #531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Authenticate against external identity provider, and send grant to Trino #531

wants to merge 1 commit into from
+100 −0

Conversation

RoseGoldIsntGay
Copy link

Description

The new KeycloakAuthentication auth flow allows usage of an external OIDC identity provider to authenticate against a Trino cluster secured using OAuth2.

Non-technical explanation

This authentication type uses credentials for an OpenId Connect provider, such as Keycloak, retrieves a grant token and uses it to authenticate against Trino.

Release notes

( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:

Keycloak Authentication

The KeycloakAuthentication class can be used to connect to a Trino cluster that is configured with the OAuth2 authentication type using an external OIDC identity provider (i.e Keycloak)

It works by sending credentials to the OpenId identity provider and recieving a grant, then passing said grant to the Trino cluster secured using OAuth2

Warning

Client Authentication must be turned off (public access) as the flow does not send a client secret

  • DBAPI

    from trino.dbapi import connect
from trino.auth import KeycloakAuthentication

conn = connect(
    user="<username>",
    auth=KeycloakAuthentication(
        username="<username>",
        password="<password>",
        keycloak_url="<keycloak_url>",
        realm="<realm>",
        client_id="<client_id>",
    ),
    ...
)

@cla-bot cla-bot
Copy link

cla-bot bot commented Feb 5, 2025

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@hashhar
Copy link
Member

hashhar commented Sep 9, 2025

This seems too custom to your specific implementation of Keycloak.

In general you can use Oauth authentication class to integrate with keycloak already.

@hashhar hashhar closed this Sep 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukasz-walkiewicz lukasz-walkiewicz Awaiting requested review from lukasz-walkiewicz

@damian3031 damian3031 Awaiting requested review from damian3031

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RoseGoldIsntGay @hashhar