Uploaded image for project: 'EXASOL Roadmap'
  1. EXASOL Roadmap
  2. EXASOL-2965

OpenID Connect: allow to enforce validation of access token issuer/audience


    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Fix Version/s: Exasol 7.1.2
    • Component/s: None
    • Labels:



      OpenID Connect allows Exasol to rely on federated authentication. Exasol OpenID Connect support enables Exasol to delegate authentication to an OpenID Connect authorization server, which issues OpenID Connect access token and refresh token to users. Users may connect to Exasol using one of those tokens to prove their identity. These tokens contain information about the issuer and audience of the token. OpenID Connect authorization servers can be configured to interact with multiple OpenID Connect clients/applications at the same time. In order to ensure that tokens are only used within their intended scope and purpose, OpenID Connect resource servers such as Exasol should be configured to inspect issuer and audience when verifying tokens. Doing so ensures that tokens issued for other use cases than connecting to Exasol are properly rejected.

      Issuer and audience information can be obtained from the OpenID provider's web interface similarly to the other OpenID Connect related database parameter values.


      Exasol 7.1.2 introduces a new database parameter -oidcProviderAUD which will configure Exasol to only accept OpenID Connect access token for authentication which encodes the provided parameter value in the audience field.

      Exasol customers are advised to configure -oidcProviderISS and -oidcProviderAUD database parameters if the employed OpenID Connect authorization server – and its dedicated JSON Web Key Set (JWKS) and JWKS endpoint URL (JKU) – is serving other OpenID Connect or OAuth 2.0 applications with different issuer or audience that are not permitted to authenticate with Exasol on behalf of the user.


      Command line parameter Description
      -oidcProviderISS OpenID Access Token Issuer to be verified (optional, recommended)
      -oidcProviderAUD OpenID Access Token Audience to be verified (optional, recommended)




            • Assignee:
              CaptainEXA Captain EXASOL
              CaptainEXA Captain EXASOL
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: