Identity Providers Overview
To enable identity providers in Ahana, contact Ahana Support.
Ahana supports OpenID Connect (OIDC) identity provider integration. You can configure an identity provider to provide user authentication for querying Presto clusters.
- Presto clusters created before the identity provider configuration date are not affected. These Presto clusters use basic (username and password) authentication, and do not use the identity provider.
- Only Presto clusters created after the identity provider configuration date use the identity provider for authentication. These Presto clusters must use the identity provider authentication.
- To delete an identity provider, all Presto clusters that use the identity provider for authentication - that is, all Presto clusters that were created after the identity provider configuration date - must be deleted first.
Identity Providers in Ahana
For information on how to work with identity providers in Ahana, see these pages:
- Add an Identity Provider
- Edit an Identity Provider
- Delete an Identity Provider
- Identity Mapping to Presto Clusters
How Does an Identity Provider Work?
Ahana follows the Authorization Code Flow as defined in the OAuth 2.0 spec. This flow exchanges an authorization code for a token.
The authorization code flow definition is in OAuth 2.0 RFC 6749, section 4.1.
This page presents a high-level explanation of the authorization code flow. For more detail, see Authorization Code Flow.
The code flow to sign in:
If the client does not have a session cookie, the Presto cluster initiates a sign in with Ahana.
Ahana responds with an authorization cookie and a redirect to the OIDC identity provider.
The user signs in to the OIDC identity provider.
The OIDC identity provider responds with an authorization code and a redirect to Ahana.
The code flow to secure access:
The client redirects to Ahana, sending the authorization code from OIDC and an authorization cookie from Ahana.
Ahana verifies the authorization code with OIDC.
OIDC responds to Ahana with an access token, an ID token and optionally a refresh token.
Ahana responds to the client with the access and refresh tokens.
The client can now use the access token to run queries and receive query results.