Skip to main content
Version: current [26.x Preview]

Authentication

Dremio supports several types of authentication for identity providers and client connections.

Identity Providers

Dremio identity providers include:

  • Enterprise OIDC Provider: An OpenID Connect (OIDC) identity provider, also known as an Identity Provider (IDP), is a service that verifies a user's identity and manages their access to resources. OIDC providers use the OpenID Connect protocol to perform these functions. Examples include Microsoft Entra ID, Okta, and others. Enterprise OIDC Providers can be configured as external token providers, which applications to access protected user data.
  • LDAP: An external service that manages user data stored within an LDAP directory and provides that user data to Dremio using the Lightweight Directory Access Protocol (LDAP).
  • Dremio Local: Users log in directly to the Dremio platform using a username and password stored locally within the Dremio system. Thus, their credentials are managed solely by Dremio and not through an external identity provider.

Authentication Options

Connection TypeEnterprise OIDCLDAP or Dremio Local
Dremio Console
Clients

Single Sign-On

The user is authenticated by the configured OIDC identity provider, including automatic authentication if the user is already signed into the Identity Provider.

Username and Password

The user provides a username and password combination for authentication. See the topic User Management for information on adding and managing local and external users.

Username and Password Exchange

For users authenticated by Dremio or an integrated enterprise LDAP server, exchanging a username and password for a Dremio OAuth access token improves security:

  • Exchange limits the exposure of the user's password to the creation of the access token.
  • OAuth access tokens are typically short-lived, reducing the window of opportunity for attackers if a token is compromised.
  • By requesting an optional refresh token, the user password need not be used again during the lifetime of the refresh token.

Users follow these steps to exchange a username and password:

  1. Use the Dremio /oauth/token REST API to exchange the username and password for a Dremio OAuth access token.
  2. Create a connection to Dremio using Arrow Flight SQL JDBC, Arrow Flight SQL ODBC, Legacy JDBC, or Dremio REST using the OAuth access token.
  3. Use the optional refresh token to create OAuth access tokens as they expire during the lifetime of the refresh token.

Personal Access Token

A Personal Access Token (PAT) is used in place of a user password. PATs provide a convenient way to create a client connection without exposing a user's password but can pose a security risk if not properly managed. PATs can be configured with long lifetimes, and lost or compromised tokens may allow access to sensitive data until the token expires. Before use, the administrator must activate PATs for the Dremio cluster.

To use a PAT, the user must follow these steps:

  1. Create a PAT in the Dremio Console. Users can create additional PATs using the Dremio Console or the Dremio PAT creation REST API.
  2. Use the PAT to connect with the Dremio Console, Arrow Flight SQL JDBC, Arrow Flight SQL ODBC, legacy JDBC, or Dremio REST.

PAT Exchange

Exchanging a PAT for an OAuth access token improves system security:

  • OAuth access tokens are typically much shorter-lived than PATs, reducing the window of vulnerability from a misplaced or stolen PAT.
  • Users must manually revoke compromised or suspected PATs, often leading to forgotten, unused tokens.

Users follow these steps to exchange a PAT:

  1. Create a PAT in the Dremio Console. Users can create additional PATs using the Dremio Console or the Dremio PAT creation REST API.
  2. Use the Dremio /oauth/token REST API to exchange the PAT for an OAuth access token.
  3. Create a connection to Dremio using Arrow Flight SQL JDBC, Arrow Flight SQL ODBC, Legacy JDBC, or Dremio REST and the OAuth access token.

External JWT

Client apps can request OAuth 2 JSON Web Tokens (JWT) from external token providers, allowing users to authenticate through custom or third-party applications without exposing their credentials to the client application.

After obtaining an external JWT, the client app can create connections to Dremio using the legacy JDBC driver. However, Dremio recommends external JWT token exchange since Dremio OAuth access tokens are smaller and verification is faster. When using an external JWT, the client application must follow these steps:

To use an external JWT, the administrator must configure Dremio to use the Enterprise OIDC provider as an external token provider.

After configuration, a client application performs the following steps:

  1. A user authenticates with the external token provider and the client receives a JWT.
  2. Create a connection to Dremio using the Legacy JDBC and the external JWT.

External JWT Exchange

Exchanging the external JWT for an OAuth access token enables additional connection choices after authenticating with the external token provider. A client application performs the following steps:

  1. A user authenticates with the external token provider and the client receives a JWT.
  2. Use the Dremio /oauth/token REST API to exchange the JWT for an OAuth access token.
  3. Create a connection to Dremio using Arrow Flight SQL JDBC, Arrow Flight SQL ODBC, Legacy JDBC, or Dremio REST and the OAuth access token.

Dremio Authentication Token

Dremio authentication tokens are generated from your Dremio username and password. This authentication method uses the prior generation /apiv2/login endpoint, now internal and subject to change without notice. See Dremio Authentication Tokens for additional information.