starburst galaxy > security and compliance > manage galaxy access > OAuth clients

OAuth clients #

OAuth clients allow users to connect to their Starburst Galaxy cluster using the available authentication method they prefer:

username and password
single sign-on (SSO)

When SSO is configured, and a user does not authenticate to Starburst Galaxy with a username and password, Starburst Galaxy is treated as an authorization server by the analytics tool such as Tableau.

When SSO is not configured, users can still benefit from OAuth by not needing to re-authenticate with username and password for a short period of time.

Note: This is a private preview feature. Contact Starburst support with questions or feedback.

Client types #

There are two types of OAuth clients:

Public
Private

Public clients are intended for desktop versions of supported analytics tools. The expectation for public clients is that there is one public client per Starburst Galaxy account per analytics tool instance. The public client is visible to all users. The public client runs the Authorization Code Flow with Proof Key for Code Exchange (PKCE) and therefore does not have a client secret.

Private (confidential) clients are intended for analytics tools that are a SaaS offering. The private client uses the Client ID and Secret to authenticate using the authorization code flow.

Supported clients #

Supported clients for OAuth clients are as follows:

Tableau Cloud (Online) is not supported.

Required privileges #

Your current role must have the MANAGE_OAUTH_CLIENT privilege to allow creating and deleting OAuth clients.

All users have the VIEW_PUBLIC_OAUTH_CLIENT privilege to view only public OAuth clients.

Configuration #

Use the steps in the following sections to configure OAuth clients for your analytics tool:

Tableau Desktop #

To use OAuth 2.0 to connect to Starburst Galaxy, you must request and install a custom data connector file. Contact support for more information.
Download the data connector. Follow the instructions to place the .taco file in the correct location for your operating system.
Follow the instructions to download the JDBC driver and connect to Starburst Galaxy.

Tableau Prep Builder #

To use OAuth 2.0 to connect to Starburst Galaxy, you must request and install a custom data connector file. Contact support for more information.
Download the data connector. Follow the instructions to place the .taco file in the correct location for your operating system.
Follow the instructions to connect to Starburst Galaxy.

Tableau Server #

To use OAuth 2.0 to connect to Starburst Galaxy, you must request and install a custom data connector file. Contact support for more information.
Download the data connector. Follow the instructions to place the .taco file in the correct location for your operating system.
Follow the instructions to download the JDBC driver and connect to Starburst Galaxy.

PowerBI #

To use OAuth 2.0 to connect to Starburst Galaxy, make sure you are running PowerBI version 5.3 or later.
Construct the Host URL by using the Public Reference field generated after the creation of the client in the URL of your Starburst Galaxy cluster. For example, if your public reference is 7toxd1kn7MWvy3DupMnn3QLX and the URL to your Starburst Galaxy cluster is https://mycluster.trino.galaxy.starburst.io, then the Host to use for PowerBI is:
```
https://mycluster.trino.galaxy.starburst.io/oauth2/7toxd1kn7MWvy3DupMnn3QLX/public-client
```
Follow the instructions to configure PowerBI to connect to Starburst Galaxy.

OAuth clients list #

Open the Access control > OAuth clients pane to see a list of current OAuth clients. If none are created yet for a Starburst Galaxy account, this pane shows a Create new OAuth client button.

The list of OAuth clients has the following sortable columns:

Client ID: The Client ID for an OAuth client. The complete Client ID is generated for you based on an identifier you enter, which must be a valid email name, and the name of your environment. The format resembles an email address. The link opens the details for an OAuth client.
Description: The description for this OAuth client.
Client service: Indicates whether the client service is Custom or a specifically supported product such as Tableau.
Client type: Indicates whether the OAuth client service is Private or Public.
Created: The date and time an OAuth client was created.

Create a public OAuth client #

Refer to the fields reference for more information about completing the dialog.

Click Create new OAuth client.
Select the Public option.
From the Application menu, select an application.
Enter a unique Client ID. Do not enter any spaces.
Enter a Description.
Enter a Redirect URI if the Application is Custom.
Click Create OAuth client. A dialog indicates your OAuth client was created.
Click Done. The client is added to the OAuth clients list.

Create a private OAuth client #

Refer to the fields reference for more information about completing the dialog.

Click Create new OAuth client.
Select the Private option.
Enter a unique Client ID. Do not enter any spaces.
Enter a Description.
Enter a Redirect URI. For private clients the URI must begin with HTTPS.
Click Create OAuth client. A dialog indicates your OAuth client was created.
Copy the OAuth client secret to a secure location. Select the check box to confirm you have copied the key. This is the only opportunity to copy the key. If you lose the key, you must delete the client and create a new one.
Click Done. The client is added to the OAuth clients list.

Fields reference #

Use the following table to configure OAuth clients.

OAuth clients fields
Field	Value
Client type	Public or Private.
Application	Applicable to Public clients only. Use the menu to select among the following options: Custom Advanced option. Contact your account team to make sure you are correctly configuring this option. Tableau Tableau Desktop, Tableau Prep Builder, and Tableau Server are supported.
Client ID	Enter any username. The username does not need to match an existing email address, but it must follow the same rules as email names. That is, the username must contain only printable US-ASCII characters not including `[`, `]` or `\`.The grayed out text@youraccount.io is automatically appended to the username after the Create OAuth client button is clicked.
Redirect URI	The endpoint implemented by the analytics client to receive the authorization code from Starburst Galaxy via the web browser. The value of the redirect URI depends on the client. Custom applications require manual entry of the redirect URI. Redirect URIs are pre-populated for Tableau and PowerBI and cannot be edited: Tableau: `http://localhost:55555/Callback` PowerBI: `https://oauth.powerbi.com/views/oauthredirect.html`

The following table describes fields that are generated by Starburst Galaxy after an OAuth client is created.

OAuth clients auto-generated fields
Field	Description
OAuth client ID	The client identifier.
OAuth client secret	The secret key for a private OAuth client.
Public reference	Only applies for public PowerBI clients. It must be used when constructing the Host field for PowerBI. The expected format is `https://mycluster.trino.galaxy.starburst.io/oauth2/(public-reference-here)/public-client`.

Edit an OAuth client #

Editing an OAuth client is not supported. If you need to edit an OAuth client, delete it and create it again.

If you misplaced your secret key for a private OAuth client, you must delete that client and create it again.

Delete an OAuth client #

In the OAuth clients list, click the Client ID link for the client you want to delete.
Click Delete OAuth client.
Click Yes, delete in the confirmation dialog.

Is the information on this page helpful?

Yes

Cancel

OAuth clients