Integrating your application or tool with OAuth using a trusted token issuer
You can add functionality to client tools you create to connect to Redshift by means of the Amazon IAM Identity Center connection. If you already configured Redshift integration to Amazon IAM Identity Center, use the properties detailed in this section to set up a connection.
Authentication plugin for connecting to Redshift using Amazon IAM Identity Center
You can use Amazon IAM Identity Center to connect to Amazon Redshift using the following driver plugins:
-
BrowserIdcAuthPlugin
– This plugin facilitates seamless single-sign-on integration with Amazon IAM Identity Center. It creates a browser window for users to sign in with the user credentials defined in their corporate identity providers. -
IdpTokenAuthPlugin
– This plugin should be used by applications that want to manage the authentication flow on their own, instead of letting the Amazon Redshift driver open a browser window for Amazon IAM Identity Center authentication. It accepts an Amazon IAM Identity Center vended Access token or an OpenID Connect (OIDC) JSON web token (JWT) from any web identity provider that’s connected with Amazon IAM Identity Center, such as Okta, PingOne, and Microsoft Entra ID (Azure AD). The client application is responsible for generating this required access token/JWT.
Authenticating with BrowserIdcAuthPlugin
Use the following plugin names to connect using BrowserIdcAuthPlugin
,
depending on your Amazon Redshift driver.
Driver | Connection option key | Value | Notes |
---|---|---|---|
JDBC |
|
com.amazon.redshift.plugin.BrowserIdcAuthPlugin |
You must enter the fully-qualified class name of the plugin when you connect. |
ODBC |
|
BrowserIdcAuthPlugin |
|
Python |
|
BrowserIdcAuthPlugin |
There is no |
The BrowserIdcAuthPlugin
plugin has the following additional connection
options:
Option name | Required? | Description | Example |
---|---|---|---|
idc_region |
Required |
The Amazon Web Services Region where the Amazon IAM Identity Center instance is located. |
us-east-1 |
issuer_url |
Required |
The Amazon IAM Identity Center server's instance endpoint. You can find this value using the Amazon IAM Identity Center console. |
https://identitycenter.amazonaws.com/ssoins-g5j2k70sn4yc5nsc |
listen_port |
Optional |
The port that the Amazon Redshift driver uses to receive the
|
7890 |
idc_client_display_name |
Optional |
The name that the Amazon IAM Identity Center client uses for the application in the Amazon IAM Identity Center's single sign-on consent popup. |
Amazon Redshift driver |
idp_response_timeout |
Optional |
The amount of time, in seconds, that the Redshift driver waits for the auth flow to complete. |
60 |
You must enter these values in the connection properties of the tool you create and connect with. For more information, see the connection options documentation for each respective driver:
Authenticating with IdpTokenAuthPlugin
Use the following plugin names to connect using IdpTokenAuthPlugin
,
depending on your Amazon Redshift driver.
Driver | Connection option key | Value | Notes |
---|---|---|---|
JDBC |
|
com.amazon.redshift.plugin.IdpTokenAuthPlugin |
You must enter the fully-qualified class name of the plugin when you connect. |
ODBC |
|
IdpTokenAuthPlugin |
|
Python |
|
IdpTokenAuthPlugin |
There is no |
The IdpTokenAuthPlugin
plugin has the following additional connection
options:
Option name | Required? | Description |
---|---|---|
token |
Required |
An Amazon IAM Identity Center vended access token or an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web identity provider that's connected with Amazon IAM Identity Center. Your application must generate this token by authenticating your application user with Amazon IAM Identity Center or an identity provider connected with Amazon IAM Identity Center. |
token_type |
Required |
The type of token used for
|
You must enter these values in the connection properties of the tool you create and connect with. For more information, see the connection options documentation for each respective driver: