Skip to main content

Authentication

Dremio supports multiple authentication methods for different connection types and user scenarios.

Use CaseConnection TypeRecommended Method
Interactive web accessDremio consoleSingle Sign-On or Username/Password
SQL clientsJDBC/ODBC clientsPersonal Access Tokens (PAT) or Username/Password
Development & testingClient applications, REST APIPersonal Access Tokens (PAT)
Production scripts & automationClient applications, REST APIOAuth access tokens via PAT Exchange
Custom apps with existing IdPClient applications, REST APIOAuth access tokens via External JWT Exchange

Username/Password

Username and password authentication allows users to sign in directly to Dremio using their email address and a password managed within Dremio. This method is suitable for users who don't have access to an enterprise identity provider or need standalone accounts. Users can reset their passwords through the Dremio console or via email reset links.

Single Sign-On

Users authenticate through configured identity providers using OIDC protocols. Dremio supports all OIDC-compliant enterprise identity providers, such as Microsoft Entra ID and Okta, as well as social identity providers like Google and GitHub. Users experience automatic login if already signed in to their identity provider.

Personal Access Tokens (PAT)

Personal access tokens are long-lived authentication credentials that allow programmatic access to Dremio without using passwords. PATs function like API keys and can be used in scripts, applications, and automated processes to authenticate requests.

Token lifespan: PATs can be configured with custom expiration periods up to 180 days or set to never expire. You control the lifespan when creating the token.

Security considerations:

  • PATs can have lifespans up to 180 days, making them convenient but potentially risky if compromised.
  • Store PATs securely using environment variables or secret management systems.
  • Never include PATs in code repositories or logs.
  • Regularly rotate PATs and revoke unused tokens.
  • Consider using PAT Exchange for enhanced security in production environments.

Users can create and manage PATs through their Account Settings in the Dremio console.

OAuth Access Tokens

OAuth access tokens are short-lived credentials obtained by exchanging other authentication methods (such as PATs or external JWTs). These tokens provide several security advantages:

  • Limited lifespan: Tokens expire after 1 hour, reducing risk if compromised.
  • Reduced credential exposure: Your primary credentials (PAT or password) are only used to obtain the token.
  • Standardized format: Compatible with OAuth 2.0 standards and tooling.
  • Automatic refresh: Can be programmatically renewed without re-entering credentials.

Token lifespan: OAuth access tokens expire after 1 hour. Applications should implement refresh logic to obtain new tokens before expiration. When a token expires, API requests will return an authentication error, requiring your application to exchange credentials again for a new token.

OAuth access tokens are the recommended authentication method for production applications accessing Dremio's REST API and client drivers. You can obtain OAuth access tokens through PAT Exchange or External JWT Exchange.

PAT Exchange

Converting PATs to short-lived OAuth access tokens improves security by reducing exposure windows for compromised tokens. This is the recommended method for obtaining OAuth access tokens for REST API access.

The process:

  1. Create a PAT in your Dremio account settings.
  2. Exchange the PAT for an OAuth access token via the /oauth/token REST API.
  3. Use the OAuth access token for all subsequent API requests.
  4. Refresh the token before it expires (within 1 hour).

External JWT Exchange

Applications can exchange JSON Web Tokens (JWTs) from external token providers for Dremio OAuth access tokens, enabling authentication without exposing user credentials. This method is useful for custom applications that need to authenticate users through their existing identity provider (such as Microsoft Entra ID or Okta) and then access Dremio on their behalf.

The process:

  1. User authenticates with the external identity provider.
  2. Application receives a JWT from the identity provider.
  3. Application exchanges the JWT for a Dremio OAuth access token via the /oauth/token REST API.
  4. Application uses the Dremio OAuth access token to make authenticated requests.
  5. Application refreshes the token before it expires.

This approach allows applications to maintain a seamless authentication experience while securing access to Dremio resources.