Integrating your application or tool with OAuth using a trusted token issuer - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Integrating your application or tool with OAuth using a trusted token issuer

You can add functionality to client tools you create to connect to Redshift by means of the Amazon IAM Identity Center connection. If you already configured Redshift integration to Amazon IAM Identity Center, use the properties detailed in this section to set up a connection.

Authentication plugin for connecting to Redshift using Amazon IAM Identity Center

You can use Amazon IAM Identity Center to connect to Amazon Redshift using the following driver plugins:

  • BrowserIdcAuthPlugin – This plugin facilitates seamless single-sign-on integration with Amazon IAM Identity Center. It creates a browser window for users to sign in with the user credentials defined in their corporate identity providers.

  • IdpTokenAuthPlugin – This plugin should be used by applications that want to manage the authentication flow on their own, instead of letting the Amazon Redshift driver open a browser window for Amazon IAM Identity Center authentication. It accepts an Amazon IAM Identity Center vended Access token or an OpenID Connect (OIDC) JSON web token (JWT) from any web identity provider that’s connected with Amazon IAM Identity Center, such as Okta, PingOne, and Microsoft Entra ID (Azure AD). The client application is responsible for generating this required access token/JWT.

Authenticating with BrowserIdcAuthPlugin

Use the following plugin names to connect using BrowserIdcAuthPlugin, depending on your Amazon Redshift driver.

Driver Connection option key Value Notes

JDBC

plugin_name

com.amazon.redshift.plugin.BrowserIdcAuthPlugin

You must enter the fully-qualified class name of the plugin when you connect.

ODBC

plugin_name

BrowserIdcAuthPlugin

Python

credentials_provider

BrowserIdcAuthPlugin

There is no plugin_name option available for the Python driver. Instead, use credentials_provider.

The BrowserIdcAuthPlugin plugin has the following additional connection options:

Option name Required? Description Example

idc_region

Required

The Amazon Web Services Region where the Amazon IAM Identity Center instance is located.

us-east-1

issuer_url

Required

The Amazon IAM Identity Center server's instance endpoint. You can find this value using the Amazon IAM Identity Center console.

https://identitycenter.amazonaws.com/ssoins-g5j2k70sn4yc5nsc

listen_port

Optional

The port that the Amazon Redshift driver uses to receive the auth_code response from Amazon IAM Identity Center through the browser redirect.

7890

idc_client_display_name

Optional

The name that the Amazon IAM Identity Center client uses for the application in the Amazon IAM Identity Center's single sign-on consent popup.

Amazon Redshift driver

idp_response_timeout

Optional

The amount of time, in seconds, that the Redshift driver waits for the auth flow to complete.

60

You must enter these values in the connection properties of the tool you create and connect with. For more information, see the connection options documentation for each respective driver:

Authenticating with IdpTokenAuthPlugin

Use the following plugin names to connect using IdpTokenAuthPlugin, depending on your Amazon Redshift driver.

Driver Connection option key Value Notes

JDBC

plugin_name

com.amazon.redshift.plugin.IdpTokenAuthPlugin

You must enter the fully-qualified class name of the plugin when you connect.

ODBC

plugin_name

IdpTokenAuthPlugin

Python

credentials_provider

IdpTokenAuthPlugin

There is no plugin_name option available for the Python driver. Instead, use credentials_provider.

The IdpTokenAuthPlugin plugin has the following additional connection options:

Option name Required? Description

token

Required

An Amazon IAM Identity Center vended access token or an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web identity provider that's connected with Amazon IAM Identity Center. Your application must generate this token by authenticating your application user with Amazon IAM Identity Center or an identity provider connected with Amazon IAM Identity Center.

token_type

Required

The type of token used for IdpTokenAuthPlugin. Possible values are the following:

  • ACCESS_TOKEN – Enter this if you use an Amazon IAM Identity Center provided access token.

  • EXT_JWT – Enter this if you use an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web-based identity provider that's connected with Amazon IAM Identity Center.

You must enter these values in the connection properties of the tool you create and connect with. For more information, see the connection options documentation for each respective driver: